From a11a2caee4bd4ba68738f27a69589b3db89e825b Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Wed, 1 Jul 2026 03:44:02 +0000 Subject: [PATCH] Update github-actions --- ...ontainer-based.push.main.default.slsa3.yml | 12 +++++----- ....container-based.push.main.multi.slsa3.yml | 12 +++++----- ...iner-based.schedule.main.default.slsa3.yml | 10 ++++---- ...edule.main.gcp-workload-identity.slsa3.yml | 22 ++++++++--------- ...ainer-based.schedule.main.matrix.slsa3.yml | 10 ++++---- ...schedule.main.registry-username-secret.yml | 12 +++++----- ...-based.schedule.main.registry-username.yml | 22 ++++++++--------- ...container-based.tag.main.default.slsa3.yml | 14 +++++------ ....main.adversarial-builder-binary.slsa3.yml | 2 +- ...main.adversarial-verifier-binary.slsa3.yml | 2 +- ...d.workflow_dispatch.main.default.slsa3.yml | 12 +++++----- ...e.container.push.branch1.default.slsa3.yml | 24 +++++++++---------- .../e2e.container.push.main.default.slsa3.yml | 22 ++++++++--------- ....schedule.main.continue-on-error.slsa3.yml | 24 +++++++++---------- ....container.schedule.main.default.slsa3.yml | 20 ++++++++-------- ...edule.main.provenance-repository.slsa3.yml | 20 ++++++++-------- ...2e.container.tag.branch1.default.slsa3.yml | 24 +++++++++---------- .../e2e.container.tag.main.default.slsa3.yml | 24 +++++++++---------- ...r.tag.main.gcp-workload-identity.slsa3.yml | 24 +++++++++---------- ...iner.tag.main.registry-username-secret.yml | 24 +++++++++---------- ...orkflow_dispatch.branch1.default.slsa3.yml | 22 ++++++++--------- ....main.adversarial-builder-binary.slsa3.yml | 12 +++++----- ...main.adversarial-verifier-binary.slsa3.yml | 12 +++++----- ...r.workflow_dispatch.main.default.slsa3.yml | 22 ++++++++--------- ...ow_dispatch.main.workflow_inputs.slsa3.yml | 22 ++++++++--------- ...tor-generic.create.main.checkout.slsa3.yml | 14 +++++------ ...ator-generic.create.main.default.slsa3.yml | 14 +++++------ ...egator-generic.push.main.default.slsa3.yml | 14 +++++------ ...or-generic.release.main.checkout.slsa3.yml | 14 +++++------ ...tor-generic.release.main.default.slsa3.yml | 14 +++++------ ...legator-generic.tag.main.default.slsa3.yml | 14 +++++------ ...rkflow_dispatch.branch1.checkout.slsa3.yml | 14 +++++------ ...orkflow_dispatch.branch1.default.slsa3.yml | 14 +++++------ ....workflow_dispatch.main.checkout.slsa3.yml | 14 +++++------ ...c.workflow_dispatch.main.default.slsa3.yml | 14 +++++------ ...tor-lowperms.create.main.default.slsa3.yml | 14 +++++------ ...gator-lowperms.push.main.default.slsa3.yml | 14 +++++------ ...or-lowperms.release.main.default.slsa3.yml | 14 +++++------ ...egator-lowperms.tag.main.default.slsa3.yml | 14 +++++------ ...s.workflow_dispatch.main.default.slsa3.yml | 14 +++++------ .../e2e.gcb.push.main.default.slsa3.yml | 14 +++++------ ...e2e.gcb.tag.main.annotated-build.slsa3.yml | 14 +++++------ ...orkflow_dispatch.main.dockerfile.slsa3.yml | 4 ++-- ...e2e.generic.push.branch1.default.slsa3.yml | 16 ++++++------- .../e2e.generic.push.main.default.slsa3.yml | 14 +++++------ ...eneric.push.main.upload-tag-name.slsa3.yml | 14 +++++------ ...e2e.generic.release.main.default.slsa3.yml | 16 ++++++------- ...ule.main.adversarial-invalidpath.slsa3.yml | 6 ++--- ...main.adversarial-invalidsubjects.slsa3.yml | 6 ++--- ...2e.generic.schedule.main.default.slsa3.yml | 12 +++++----- ...ric.schedule.main.multi-subjects.slsa3.yml | 16 ++++++------- ...generic.schedule.main.multi-uses.slsa3.yml | 16 ++++++------- ...ic.schedule.main.provenance-name.slsa3.yml | 12 +++++----- .../e2e.generic.tag.branch1.default.slsa3.yml | 16 ++++++------- .../e2e.generic.tag.main.annotated.slsa3.yml | 14 +++++------ .../e2e.generic.tag.main.assets.slsa3.yml | 16 ++++++------- ...goreleaser-assets-multi-subjects.slsa3.yml | 18 +++++++------- ...orkflow_dispatch.branch1.default.slsa3.yml | 14 +++++------ ....main.adversarial-builder-binary.slsa3.yml | 2 +- ...main.adversarial-verifier-binary.slsa3.yml | 2 +- ...c.workflow_dispatch.main.default.slsa3.yml | 14 +++++------ ...arge-subjects-adversarial-format.slsa3.yml | 10 ++++---- ...arge-subjects-adversarial-sha256.slsa3.yml | 10 ++++---- ...low_dispatch.main.large-subjects.slsa3.yml | 14 +++++------ ...c.workflow_dispatch.main.tagname.slsa3.yml | 12 +++++----- ...ow_dispatch.main.workflow_inputs.slsa3.yml | 14 +++++------ ...e.go.push.branch1.config-ldflags.slsa3.yml | 16 ++++++------- .../e2e.go.push.main.config-ldflags.slsa3.yml | 14 +++++------ ...2e.go.push.main.config-noldflags.slsa3.yml | 12 +++++----- ...e.main.config-ldflags-assets-tag.slsa3.yml | 16 ++++++------- ...lease.main.config-ldflags-assets.slsa3.yml | 16 ++++++------- ...ase.main.config-ldflags-noassets.slsa3.yml | 16 ++++++------- ...e.main.adversarial-binary-upload.slsa3.yml | 6 ++--- ...ain.adversarial-build-provenance.slsa3.yml | 6 ++--- ....schedule.main.adversarial-build.slsa3.yml | 6 ++--- ....schedule.main.adversarial-invalidpath.yml | 4 ++-- ...ule.main.config-ldflags-main-dir.slsa3.yml | 12 +++++----- ...chedule.main.config-ldflags-main.slsa3.yml | 12 +++++----- ...o.schedule.main.config-noldflags.slsa3.yml | 10 ++++---- ...hedule.main.noldflags-multi-uses.slsa3.yml | 20 ++++++++-------- ...ag.branch1.config-ldflags-assets.slsa3.yml | 16 ++++++------- ...ag.main.adversarial-asset-binary.slsa3.yml | 12 +++++----- ...ain.adversarial-asset-provenance.slsa3.yml | 12 +++++----- ....config-ldflags-assets-draft-tag.slsa3.yml | 16 ++++++------- ...ig-ldflags-assets-prerelease-tag.slsa3.yml | 16 ++++++------- ...g.main.config-ldflags-assets-tag.slsa3.yml | 16 ++++++------- ...o.tag.main.config-ldflags-assets.slsa3.yml | 16 ++++++------- ...tag.main.config-ldflags-noassets.slsa3.yml | 16 ++++++------- ..._dispatch.branch1.config-ldflags.slsa3.yml | 16 ++++++------- ....main.adversarial-builder-binary.slsa3.yml | 2 +- ...main.adversarial-verifier-binary.slsa3.yml | 2 +- ...w_dispatch.main.config-noldflags.slsa3.yml | 12 +++++----- ..._dispatch.main.tagname-noldflags.slsa3.yml | 12 +++++----- ...h.main.workflow_inputs-noldflags.slsa3.yml | 12 +++++----- ...e.workflow_dispatch.main.default.slsa3.yml | 14 +++++------ ...spatch.main.project-at-repo-root.slsa3.yml | 14 +++++------ .github/workflows/e2e.installer-action.yml | 4 ++-- ...n.workflow_dispatch.main.default.slsa3.yml | 14 +++++------ .../e2e.nodejs.create.main.default.slsa3.yml | 14 +++++------ .../e2e.nodejs.push.branch1.default.slsa3.yml | 14 +++++------ ...e2e.nodejs.push.main.adversarial.slsa3.yml | 8 +++---- ....nodejs.push.main.custom_publish.slsa3.yml | 14 +++++------ .../e2e.nodejs.push.main.default.slsa3.yml | 14 +++++------ .../e2e.nodejs.push.main.disttag.slsa3.yml | 14 +++++------ .../e2e.nodejs.push.main.node16.slsa3.yml | 14 +++++------ .../e2e.nodejs.push.main.node18.slsa3.yml | 14 +++++------ .../e2e.nodejs.release.main.default.slsa3.yml | 14 +++++------ .../e2e.nodejs.tag.main.default.slsa3.yml | 14 +++++------ .../e2e.nodejs.tag.main.unscoped.slsa3.yml | 14 +++++------ ...s.workflow_dispatch.main.default.slsa3.yml | 14 +++++------ .../workflows/e2e.verify-token.push.main.yml | 2 +- .../workflows/e2e.verify-token.reusable.yml | 18 +++++++------- .github/workflows/e2e.vsa.gcp.gke.yml | 12 +++++----- .github/workflows/github-actions-demo.yaml | 2 +- .github/workflows/pre-submit.actionlint.yml | 2 +- .../workflows/pre-submit.golangci-lint.yml | 10 ++++---- .github/workflows/pre-submit.shellcheck.yml | 2 +- .github/workflows/pre-submit.yamllint.yml | 2 +- .../schedule.delete-old-releases.yml | 2 +- ...e.all.workflow_dispatch.main.all.slsa3.yml | 16 ++++++------- 120 files changed, 785 insertions(+), 785 deletions(-) diff --git a/.github/workflows/e2e.container-based.push.main.default.slsa3.yml b/.github/workflows/e2e.container-based.push.main.default.slsa3.yml index afdd703e6..ef7f0a5e5 100644 --- a/.github/workflows/e2e.container-based.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.container-based.push.main.default.slsa3.yml @@ -23,7 +23,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-push.sh build: @@ -45,7 +45,7 @@ jobs: needs: [build] if: github.event_name == 'push' && github.event.head_commit.message == github.workflow steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.build-outputs-name }} @@ -68,9 +68,9 @@ jobs: name=$(find "${FOLDER}"/ -type f | head -1) cp "${name}" . echo "name=$(basename "${name}")" >> "${GITHUB_OUTPUT}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ steps.build.outputs.name }} PROVENANCE: ${{ steps.att.outputs.name }} @@ -81,7 +81,7 @@ jobs: needs: [build, verify] if: github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -89,5 +89,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container-based.push.main.multi.slsa3.yml b/.github/workflows/e2e.container-based.push.main.multi.slsa3.yml index 51cccb43a..5c66a59b1 100644 --- a/.github/workflows/e2e.container-based.push.main.multi.slsa3.yml +++ b/.github/workflows/e2e.container-based.push.main.multi.slsa3.yml @@ -23,7 +23,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-push.sh build: @@ -45,7 +45,7 @@ jobs: needs: [build] if: github.event_name == 'push' && github.event.head_commit.message == github.workflow steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.build-outputs-name }} @@ -68,9 +68,9 @@ jobs: name=$(find "${FOLDER}"/ -type f | head -1) cp "${name}" . echo "name=$(basename "${name}")" >> "${GITHUB_OUTPUT}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ steps.build.outputs.name }} PROVENANCE: ${{ steps.att.outputs.name }} @@ -81,7 +81,7 @@ jobs: needs: [build, verify] if: github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -89,5 +89,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container-based.schedule.main.default.slsa3.yml b/.github/workflows/e2e.container-based.schedule.main.default.slsa3.yml index 05a179af3..82ca4ca30 100644 --- a/.github/workflows/e2e.container-based.schedule.main.default.slsa3.yml +++ b/.github/workflows/e2e.container-based.schedule.main.default.slsa3.yml @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.build-outputs-name }} @@ -55,9 +55,9 @@ jobs: name=$(find "${FOLDER}"/ -type f | head -1) cp "${name}" . echo "name=$(basename "${name}")" >> "${GITHUB_OUTPUT}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ steps.build.outputs.name }} PROVENANCE: ${{ steps.att.outputs.name }} @@ -70,7 +70,7 @@ jobs: # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -80,5 +80,5 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container-based.schedule.main.gcp-workload-identity.slsa3.yml b/.github/workflows/e2e.container-based.schedule.main.gcp-workload-identity.slsa3.yml index 843db63c9..6bbac5e1f 100644 --- a/.github/workflows/e2e.container-based.schedule.main.gcp-workload-identity.slsa3.yml +++ b/.github/workflows/e2e.container-based.schedule.main.gcp-workload-identity.slsa3.yml @@ -47,13 +47,13 @@ jobs: workload_identity_provider: ${{ env.PROVIDER_NAME }} - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: oauth2accesstoken @@ -61,12 +61,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 id: build with: push: true @@ -93,7 +93,7 @@ jobs: workload_identity_provider: ${{ env.PROVIDER_NAME }} - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: oauth2accesstoken @@ -134,7 +134,7 @@ jobs: runs-on: ubuntu-latest needs: [base, build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.build-outputs-name }} @@ -157,9 +157,9 @@ jobs: name=$(find "${FOLDER}"/ -type f | head -1) cp "${name}" . echo "name=$(basename "${name}")" >> "${GITHUB_OUTPUT}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ steps.build.outputs.name }} PROVENANCE: ${{ steps.att.outputs.name }} @@ -172,7 +172,7 @@ jobs: # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -182,5 +182,5 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container-based.schedule.main.matrix.slsa3.yml b/.github/workflows/e2e.container-based.schedule.main.matrix.slsa3.yml index 9cde0f07f..c6fa628b3 100644 --- a/.github/workflows/e2e.container-based.schedule.main.matrix.slsa3.yml +++ b/.github/workflows/e2e.container-based.schedule.main.matrix.slsa3.yml @@ -38,7 +38,7 @@ jobs: - env: OUTPUTS: ${{ toJSON(needs.build.outputs) }} run: echo "${OUTPUTS}" - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.build-outputs-name }} @@ -61,9 +61,9 @@ jobs: name=$(find "${FOLDER}"/ -type f | head -1) cp "${name}" . echo "name=$(basename "${name}")" >> "${GITHUB_OUTPUT}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ steps.build.outputs.name }} PROVENANCE: ${{ steps.att.outputs.name }} @@ -74,7 +74,7 @@ jobs: needs: [build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -82,5 +82,5 @@ jobs: needs: [build, verify] if: always() && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container-based.schedule.main.registry-username-secret.yml b/.github/workflows/e2e.container-based.schedule.main.registry-username-secret.yml index bb21901fc..5b2550f3f 100644 --- a/.github/workflows/e2e.container-based.schedule.main.registry-username-secret.yml +++ b/.github/workflows/e2e.container-based.schedule.main.registry-username-secret.yml @@ -33,7 +33,7 @@ jobs: digest: ${{ steps.image.outputs.digest }} steps: - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${REGISTRY_USERNAME} @@ -73,7 +73,7 @@ jobs: runs-on: ubuntu-latest needs: [base, build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.build-outputs-name }} @@ -96,9 +96,9 @@ jobs: name=$(find "${FOLDER}"/ -type f | head -1) cp "${name}" . echo "name=$(basename "${name}")" >> "${GITHUB_OUTPUT}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ steps.build.outputs.name }} PROVENANCE: ${{ steps.att.outputs.name }} @@ -111,7 +111,7 @@ jobs: # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -121,5 +121,5 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container-based.schedule.main.registry-username.yml b/.github/workflows/e2e.container-based.schedule.main.registry-username.yml index 1bb8b5f9d..e0e3fb2dc 100644 --- a/.github/workflows/e2e.container-based.schedule.main.registry-username.yml +++ b/.github/workflows/e2e.container-based.schedule.main.registry-username.yml @@ -42,13 +42,13 @@ jobs: packages: write # For writing container images. steps: - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -56,12 +56,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 id: build with: push: true @@ -79,7 +79,7 @@ jobs: digest: ${{ steps.image.outputs.digest }} steps: - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -122,7 +122,7 @@ jobs: runs-on: ubuntu-latest needs: [base, build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.build-outputs-name }} @@ -146,9 +146,9 @@ jobs: name=$(find "${FOLDER}"/ -type f | head -1) cp "${name}" . echo "name=$(basename "${name}")" >> "${GITHUB_OUTPUT}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ steps.build.outputs.name }} PROVENANCE: ${{ steps.att.outputs.name }} @@ -161,7 +161,7 @@ jobs: # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -171,5 +171,5 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container-based.tag.main.default.slsa3.yml b/.github/workflows/e2e.container-based.tag.main.default.slsa3.yml index a0ba7bcb8..e41d62797 100644 --- a/.github/workflows/e2e.container-based.tag.main.default.slsa3.yml +++ b/.github/workflows/e2e.container-based.tag.main.default.slsa3.yml @@ -26,7 +26,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-create-release.sh shim: @@ -35,7 +35,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -59,7 +59,7 @@ jobs: needs: [shim, build] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.build-outputs-name }} @@ -82,9 +82,9 @@ jobs: name=$(find "${FOLDER}"/ -type f | head -1) cp "${name}" . echo "name=$(basename "${name}")" >> "${GITHUB_OUTPUT}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ steps.build.outputs.name }} PROVENANCE: ${{ steps.att.outputs.name }} @@ -95,7 +95,7 @@ jobs: needs: [shim, build, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -103,5 +103,5 @@ jobs: needs: [shim, build, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container-based.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml b/.github/workflows/e2e.container-based.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml index bcb0a6352..d6615d4b2 100644 --- a/.github/workflows/e2e.container-based.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml +++ b/.github/workflows/e2e.container-based.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml @@ -23,7 +23,7 @@ jobs: needs: [provenance] if: needs.provenance.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: | set -euo pipefail diff --git a/.github/workflows/e2e.container-based.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml b/.github/workflows/e2e.container-based.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml index 9645ea3b8..58bdd8ec3 100644 --- a/.github/workflows/e2e.container-based.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml +++ b/.github/workflows/e2e.container-based.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml @@ -48,7 +48,7 @@ jobs: needs: [provenance] if: needs.provenance.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: | set -euo pipefail diff --git a/.github/workflows/e2e.container-based.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.container-based.workflow_dispatch.main.default.slsa3.yml index 47fc96370..e890859d4 100644 --- a/.github/workflows/e2e.container-based.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.container-based.workflow_dispatch.main.default.slsa3.yml @@ -23,7 +23,7 @@ jobs: actions: write contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-dispatch.sh build: @@ -45,7 +45,7 @@ jobs: needs: [build] if: github.event_name == 'workflow_dispatch' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.build-outputs-name }} @@ -68,9 +68,9 @@ jobs: name=$(find "${FOLDER}"/ -type f | head -1) cp "${name}" . echo "name=$(basename "${name}")" >> "${GITHUB_OUTPUT}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ steps.build.outputs.name }} PROVENANCE: ${{ steps.att.outputs.name }} @@ -81,7 +81,7 @@ jobs: needs: [build, verify] if: github.event_name == 'workflow_dispatch' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -89,5 +89,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'workflow_dispatch' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container.push.branch1.default.slsa3.yml b/.github/workflows/e2e.container.push.branch1.default.slsa3.yml index 8dbc40549..9e4a7aeb9 100644 --- a/.github/workflows/e2e.container.push.branch1.default.slsa3.yml +++ b/.github/workflows/e2e.container.push.branch1.default.slsa3.yml @@ -36,7 +36,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-push.sh if-bootstrap-failed: @@ -44,7 +44,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -75,13 +75,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -89,13 +89,13 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} github-token: ${{ secrets.E2E_CONTAINER_TOKEN }} - name: Build and push Docker image - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 id: build with: push: true @@ -140,7 +140,7 @@ jobs: packages: read # For reading attestations. runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - env: REGISTRY_USERNAME: ${{ github.actor }} @@ -161,9 +161,9 @@ jobs: echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV" echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: CONTAINER: "${{ env.container }}" PROVENANCE: "${{ env.provenance_file }}" @@ -174,7 +174,7 @@ jobs: needs: [build, provenance, verify] if: needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -182,5 +182,5 @@ jobs: needs: [build, provenance, verify] if: always() && github.ref_type == 'branch' && github.ref_name == 'branch1' && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result != 'success' || needs.provenance.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container.push.main.default.slsa3.yml b/.github/workflows/e2e.container.push.main.default.slsa3.yml index deb151197..b092ca7bb 100644 --- a/.github/workflows/e2e.container.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.container.push.main.default.slsa3.yml @@ -33,7 +33,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-push.sh # Build the Go application into a Docker image @@ -49,13 +49,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -63,12 +63,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 id: build with: push: true @@ -114,7 +114,7 @@ jobs: packages: read # For reading attestations. runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - env: REGISTRY_USERNAME: ${{ github.actor }} @@ -135,9 +135,9 @@ jobs: echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV" echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: CONTAINER: "${{ env.container }}" PROVENANCE: "${{ env.provenance_file }}" @@ -148,7 +148,7 @@ jobs: needs: [build, provenance, verify] if: github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -156,5 +156,5 @@ jobs: needs: [build, provenance, verify] if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container.schedule.main.continue-on-error.slsa3.yml b/.github/workflows/e2e.container.schedule.main.continue-on-error.slsa3.yml index 181fdc988..e5f397e2e 100644 --- a/.github/workflows/e2e.container.schedule.main.continue-on-error.slsa3.yml +++ b/.github/workflows/e2e.container.schedule.main.continue-on-error.slsa3.yml @@ -33,13 +33,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -47,12 +47,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 id: build with: push: true @@ -99,7 +99,7 @@ jobs: runs-on: ubuntu-latest if: ${{ always() }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - env: REGISTRY_USERNAME: ${{ github.actor }} @@ -120,9 +120,9 @@ jobs: echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV" echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: CONTAINER: "${{ env.container }}" PROVENANCE: "${{ env.provenance_file }}" @@ -135,7 +135,7 @@ jobs: needs: [build, provenance, verify] if: needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -143,7 +143,7 @@ jobs: needs: [build, provenance, verify] if: always() && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Generate an error @@ -186,7 +186,7 @@ jobs: # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.provenance-continue-on-error.result == 'success' && needs.verify-continue-on-error.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed-continue-on-error: @@ -196,5 +196,5 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && (needs.provenance-continue-on-error.result == 'failure' || needs.verify-continue-on-error.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container.schedule.main.default.slsa3.yml b/.github/workflows/e2e.container.schedule.main.default.slsa3.yml index 6b38f3393..9c75d8271 100644 --- a/.github/workflows/e2e.container.schedule.main.default.slsa3.yml +++ b/.github/workflows/e2e.container.schedule.main.default.slsa3.yml @@ -37,13 +37,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -51,13 +51,13 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} github-token: ${{ secrets.E2E_CONTAINER_TOKEN }} - name: Build and push Docker image - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 id: build with: push: true @@ -104,7 +104,7 @@ jobs: runs-on: ubuntu-latest if: ${{ always() }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - env: REGISTRY_USERNAME: ${{ github.actor }} @@ -125,9 +125,9 @@ jobs: echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV" echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: CONTAINER: "${{ env.container }}" PROVENANCE: "${{ env.provenance_file }}" @@ -140,7 +140,7 @@ jobs: # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -150,5 +150,5 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container.schedule.main.provenance-repository.slsa3.yml b/.github/workflows/e2e.container.schedule.main.provenance-repository.slsa3.yml index cdf13ab23..ef4715112 100644 --- a/.github/workflows/e2e.container.schedule.main.provenance-repository.slsa3.yml +++ b/.github/workflows/e2e.container.schedule.main.provenance-repository.slsa3.yml @@ -43,13 +43,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -57,12 +57,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 id: build with: push: true @@ -133,7 +133,7 @@ jobs: # Provenance image. Used to be called `PROVENANCE_IMAGE`. COSIGN_REPOSITORY: ${{ needs.provenance-metadata.outputs.image }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - env: PROVENANCE_REGISTRY_USERNAME: ${{ needs.provenance-metadata.outputs.username }} @@ -161,9 +161,9 @@ jobs: echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV" echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: CONTAINER: "${{ env.container }}" PROVENANCE: "${{ env.provenance_file }}" @@ -177,7 +177,7 @@ jobs: # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -187,5 +187,5 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container.tag.branch1.default.slsa3.yml b/.github/workflows/e2e.container.tag.branch1.default.slsa3.yml index bb881fed6..ad7c3131a 100644 --- a/.github/workflows/e2e.container.tag.branch1.default.slsa3.yml +++ b/.github/workflows/e2e.container.tag.branch1.default.slsa3.yml @@ -32,7 +32,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-create-release.sh shim: @@ -41,7 +41,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -59,13 +59,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -73,12 +73,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 id: build with: push: true @@ -124,7 +124,7 @@ jobs: packages: read # For reading attestations. runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - env: REGISTRY_USERNAME: ${{ github.actor }} @@ -145,9 +145,9 @@ jobs: echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV" echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: CONTAINER: "${{ env.container }}" PROVENANCE: "${{ env.provenance_file }}" @@ -158,7 +158,7 @@ jobs: needs: [shim, build, provenance, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -166,5 +166,5 @@ jobs: needs: [shim, build, provenance, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container.tag.main.default.slsa3.yml b/.github/workflows/e2e.container.tag.main.default.slsa3.yml index 849af21f5..ce306d8dc 100644 --- a/.github/workflows/e2e.container.tag.main.default.slsa3.yml +++ b/.github/workflows/e2e.container.tag.main.default.slsa3.yml @@ -36,7 +36,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-create-release.sh shim: @@ -45,7 +45,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -63,13 +63,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -77,12 +77,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 id: build with: push: true @@ -128,7 +128,7 @@ jobs: packages: read # For reading attestations. runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - env: REGISTRY_USERNAME: ${{ github.actor }} @@ -149,9 +149,9 @@ jobs: echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV" echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: CONTAINER: "${{ env.container }}" PROVENANCE: "${{ env.provenance_file }}" @@ -162,7 +162,7 @@ jobs: needs: [shim, build, provenance, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -170,5 +170,5 @@ jobs: needs: [shim, build, provenance, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container.tag.main.gcp-workload-identity.slsa3.yml b/.github/workflows/e2e.container.tag.main.gcp-workload-identity.slsa3.yml index a63296798..15ed28058 100644 --- a/.github/workflows/e2e.container.tag.main.gcp-workload-identity.slsa3.yml +++ b/.github/workflows/e2e.container.tag.main.gcp-workload-identity.slsa3.yml @@ -36,7 +36,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-create-release.sh shim: @@ -45,7 +45,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -74,13 +74,13 @@ jobs: workload_identity_provider: ${{ env.PROVIDER_NAME }} - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: oauth2accesstoken @@ -88,12 +88,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 id: build with: push: true @@ -143,7 +143,7 @@ jobs: id-token: write # For authenticating to Google Cloud Workload Identity runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: auth name: "Authenticate to Google Cloud" uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3 @@ -171,9 +171,9 @@ jobs: echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV" echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: CONTAINER: "${{ env.container }}" PROVENANCE: "${{ env.provenance_file }}" @@ -184,7 +184,7 @@ jobs: needs: [shim, build, provenance, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -192,5 +192,5 @@ jobs: needs: [shim, build, provenance, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container.tag.main.registry-username-secret.yml b/.github/workflows/e2e.container.tag.main.registry-username-secret.yml index 4e550a747..891f7fab4 100644 --- a/.github/workflows/e2e.container.tag.main.registry-username-secret.yml +++ b/.github/workflows/e2e.container.tag.main.registry-username-secret.yml @@ -36,7 +36,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-create-release.sh shim: @@ -45,7 +45,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -63,13 +63,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -77,12 +77,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 id: build with: push: true @@ -129,7 +129,7 @@ jobs: packages: read # For reading attestations. runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - env: REGISTRY_USERNAME: ${{ github.actor }} @@ -150,9 +150,9 @@ jobs: echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV" echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: CONTAINER: "${{ env.container }}" PROVENANCE: "${{ env.provenance_file }}" @@ -163,7 +163,7 @@ jobs: needs: [shim, build, provenance, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -171,5 +171,5 @@ jobs: needs: [shim, build, provenance, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container.workflow_dispatch.branch1.default.slsa3.yml b/.github/workflows/e2e.container.workflow_dispatch.branch1.default.slsa3.yml index 49d9b6409..f004ba6b9 100644 --- a/.github/workflows/e2e.container.workflow_dispatch.branch1.default.slsa3.yml +++ b/.github/workflows/e2e.container.workflow_dispatch.branch1.default.slsa3.yml @@ -28,7 +28,7 @@ jobs: actions: write contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-dispatch.sh # Build the Go application into a Docker image @@ -44,13 +44,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -58,12 +58,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 id: build with: push: true @@ -109,7 +109,7 @@ jobs: packages: read # For reading attestations. runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - env: REGISTRY_USERNAME: ${{ github.actor }} @@ -130,9 +130,9 @@ jobs: echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV" echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: CONTAINER: "${{ env.container }}" PROVENANCE: "${{ env.provenance_file }}" @@ -143,7 +143,7 @@ jobs: needs: [build, provenance, verify] if: github.event_name == 'workflow_dispatch' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -151,5 +151,5 @@ jobs: needs: [build, provenance, verify] if: always() && github.event_name == 'workflow_dispatch' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml b/.github/workflows/e2e.container.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml index b9f9d286a..70bea4cd3 100644 --- a/.github/workflows/e2e.container.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml +++ b/.github/workflows/e2e.container.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml @@ -31,13 +31,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -45,12 +45,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 id: build with: push: true @@ -88,7 +88,7 @@ jobs: needs: [provenance] if: needs.provenance.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: | set -euo pipefail diff --git a/.github/workflows/e2e.container.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml b/.github/workflows/e2e.container.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml index c7836bea0..0b65df164 100644 --- a/.github/workflows/e2e.container.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml +++ b/.github/workflows/e2e.container.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml @@ -31,13 +31,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -45,12 +45,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 id: build with: push: true @@ -92,7 +92,7 @@ jobs: needs: [provenance] if: needs.provenance.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: | set -euo pipefail diff --git a/.github/workflows/e2e.container.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.container.workflow_dispatch.main.default.slsa3.yml index 3f7dcbb87..b0f48867d 100644 --- a/.github/workflows/e2e.container.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.container.workflow_dispatch.main.default.slsa3.yml @@ -32,7 +32,7 @@ jobs: actions: write contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-dispatch.sh # Build the Go application into a Docker image @@ -48,13 +48,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -62,12 +62,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 id: build with: push: true @@ -113,7 +113,7 @@ jobs: packages: read # For reading attestations. runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - env: REGISTRY_USERNAME: ${{ github.actor }} @@ -134,9 +134,9 @@ jobs: echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV" echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: CONTAINER: "${{ env.container }}" PROVENANCE: "${{ env.provenance_file }}" @@ -147,7 +147,7 @@ jobs: needs: [build, provenance, verify] if: github.event_name == 'workflow_dispatch' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -155,5 +155,5 @@ jobs: needs: [build, provenance, verify] if: always() && github.event_name == 'workflow_dispatch' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container.workflow_dispatch.main.workflow_inputs.slsa3.yml b/.github/workflows/e2e.container.workflow_dispatch.main.workflow_inputs.slsa3.yml index 1a3462f80..c9379c313 100644 --- a/.github/workflows/e2e.container.workflow_dispatch.main.workflow_inputs.slsa3.yml +++ b/.github/workflows/e2e.container.workflow_dispatch.main.workflow_inputs.slsa3.yml @@ -37,7 +37,7 @@ jobs: actions: write contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-dispatch.sh # Build the Go application into a Docker image @@ -53,13 +53,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -67,12 +67,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 id: build with: push: true @@ -118,7 +118,7 @@ jobs: packages: read # For reading attestations. runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - env: REGISTRY_USERNAME: ${{ github.actor }} @@ -139,9 +139,9 @@ jobs: echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV" echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: CONTAINER: "${{ env.container }}" PROVENANCE: "${{ env.provenance_file }}" @@ -152,7 +152,7 @@ jobs: needs: [build, provenance, verify] if: github.event_name == 'workflow_dispatch' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -160,5 +160,5 @@ jobs: needs: [build, provenance, verify] if: always() && github.event_name == 'workflow_dispatch' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.delegator-generic.create.main.checkout.slsa3.yml b/.github/workflows/e2e.delegator-generic.create.main.checkout.slsa3.yml index a538ddf57..7f8fa59eb 100644 --- a/.github/workflows/e2e.delegator-generic.create.main.checkout.slsa3.yml +++ b/.github/workflows/e2e.delegator-generic.create.main.checkout.slsa3.yml @@ -32,7 +32,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -41,7 +41,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -81,7 +81,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: "${{ needs.build.outputs.artifact }}" # NOTE: This is 'my-artifact'. @@ -89,9 +89,9 @@ jobs: with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: "${{ needs.build.outputs.artifact }}" PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/${{ needs.build.outputs.artifact }}.build.slsa" # This is defined by the builder. @@ -103,7 +103,7 @@ jobs: needs: [build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -111,5 +111,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'create' && startsWith(github.ref, 'refs/tags/v48') && (needs.build.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.delegator-generic.create.main.default.slsa3.yml b/.github/workflows/e2e.delegator-generic.create.main.default.slsa3.yml index 86475df7f..607324f9f 100644 --- a/.github/workflows/e2e.delegator-generic.create.main.default.slsa3.yml +++ b/.github/workflows/e2e.delegator-generic.create.main.default.slsa3.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -34,7 +34,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -71,7 +71,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: "${{ needs.build.outputs.artifact }}" # NOTE: This is 'my-artifact'. @@ -79,9 +79,9 @@ jobs: with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: "${{ needs.build.outputs.artifact }}" PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/${{ needs.build.outputs.artifact }}.build.slsa" # This is defined by the builder. @@ -93,7 +93,7 @@ jobs: needs: [build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -101,5 +101,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'create' && startsWith(github.ref, 'refs/tags/v45') && (needs.build.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.delegator-generic.push.main.default.slsa3.yml b/.github/workflows/e2e.delegator-generic.push.main.default.slsa3.yml index 8db0796f0..39cd263e0 100644 --- a/.github/workflows/e2e.delegator-generic.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.delegator-generic.push.main.default.slsa3.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -34,7 +34,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -71,7 +71,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: "${{ needs.build.outputs.artifact }}" # NOTE: This is 'my-artifact'. @@ -79,9 +79,9 @@ jobs: with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: "${{ needs.build.outputs.artifact }}" PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/${{ needs.build.outputs.artifact }}.build.slsa" # This is defined by the builder. @@ -93,7 +93,7 @@ jobs: needs: [build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -101,5 +101,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.delegator-generic.release.main.checkout.slsa3.yml b/.github/workflows/e2e.delegator-generic.release.main.checkout.slsa3.yml index a6d863ff8..69cc115da 100644 --- a/.github/workflows/e2e.delegator-generic.release.main.checkout.slsa3.yml +++ b/.github/workflows/e2e.delegator-generic.release.main.checkout.slsa3.yml @@ -33,7 +33,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -42,7 +42,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -83,7 +83,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: "${{ needs.build.outputs.artifact }}" # NOTE: This is 'my-artifact'. @@ -91,9 +91,9 @@ jobs: with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: "${{ needs.build.outputs.artifact }}" PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/${{ needs.build.outputs.artifact }}.build.slsa" # This is defined by the builder. @@ -105,7 +105,7 @@ jobs: needs: [build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -113,5 +113,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'release' && startsWith(github.ref, 'refs/tags/v50') && (needs.build.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.delegator-generic.release.main.default.slsa3.yml b/.github/workflows/e2e.delegator-generic.release.main.default.slsa3.yml index 041d28ad5..767e3fdb1 100644 --- a/.github/workflows/e2e.delegator-generic.release.main.default.slsa3.yml +++ b/.github/workflows/e2e.delegator-generic.release.main.default.slsa3.yml @@ -26,7 +26,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -35,7 +35,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -72,7 +72,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: "${{ needs.build.outputs.artifact }}" # NOTE: This is 'my-artifact'. @@ -80,9 +80,9 @@ jobs: with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: "${{ needs.build.outputs.artifact }}" PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/${{ needs.build.outputs.artifact }}.build.slsa" # This is defined by the builder. @@ -94,7 +94,7 @@ jobs: needs: [build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -102,5 +102,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'release' && startsWith(github.ref, 'refs/tags/v42') && (needs.build.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.delegator-generic.tag.main.default.slsa3.yml b/.github/workflows/e2e.delegator-generic.tag.main.default.slsa3.yml index 20476fcba..2b6c03d2d 100644 --- a/.github/workflows/e2e.delegator-generic.tag.main.default.slsa3.yml +++ b/.github/workflows/e2e.delegator-generic.tag.main.default.slsa3.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -36,7 +36,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -73,7 +73,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: "${{ needs.build.outputs.artifact }}" # NOTE: This is 'my-artifact'. @@ -81,9 +81,9 @@ jobs: with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: "${{ needs.build.outputs.artifact }}" PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/${{ needs.build.outputs.artifact }}.build.slsa" # This is defined by the builder. @@ -95,7 +95,7 @@ jobs: needs: [build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -103,5 +103,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.delegator-generic.workflow_dispatch.branch1.checkout.slsa3.yml b/.github/workflows/e2e.delegator-generic.workflow_dispatch.branch1.checkout.slsa3.yml index 509ed2573..dbc48a3ff 100644 --- a/.github/workflows/e2e.delegator-generic.workflow_dispatch.branch1.checkout.slsa3.yml +++ b/.github/workflows/e2e.delegator-generic.workflow_dispatch.branch1.checkout.slsa3.yml @@ -35,7 +35,7 @@ jobs: actions: write contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -44,7 +44,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && !inputs.trigger_build)) && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -84,7 +84,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: "${{ needs.build.outputs.artifact }}" # NOTE: This is 'my-artifact'. @@ -92,9 +92,9 @@ jobs: with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: "${{ needs.build.outputs.artifact }}" PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/${{ needs.build.outputs.artifact }}.build.slsa" # This is defined by the builder. @@ -106,7 +106,7 @@ jobs: needs: [build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -114,5 +114,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'workflow_dispatch' && inputs.trigger_build && (needs.build.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.delegator-generic.workflow_dispatch.branch1.default.slsa3.yml b/.github/workflows/e2e.delegator-generic.workflow_dispatch.branch1.default.slsa3.yml index 7acf6a5f9..452973873 100644 --- a/.github/workflows/e2e.delegator-generic.workflow_dispatch.branch1.default.slsa3.yml +++ b/.github/workflows/e2e.delegator-generic.workflow_dispatch.branch1.default.slsa3.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -36,7 +36,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && !inputs.trigger_build)) && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -73,7 +73,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: "${{ needs.build.outputs.artifact }}" # NOTE: This is 'my-artifact'. @@ -81,9 +81,9 @@ jobs: with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: "${{ needs.build.outputs.artifact }}" PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/${{ needs.build.outputs.artifact }}.build.slsa" # This is defined by the builder. @@ -95,7 +95,7 @@ jobs: needs: [build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -103,5 +103,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'workflow_dispatch' && inputs.trigger_build && (needs.build.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.delegator-generic.workflow_dispatch.main.checkout.slsa3.yml b/.github/workflows/e2e.delegator-generic.workflow_dispatch.main.checkout.slsa3.yml index 3de3780a0..26cab51c9 100644 --- a/.github/workflows/e2e.delegator-generic.workflow_dispatch.main.checkout.slsa3.yml +++ b/.github/workflows/e2e.delegator-generic.workflow_dispatch.main.checkout.slsa3.yml @@ -34,7 +34,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -43,7 +43,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && !inputs.trigger_build)) && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -83,7 +83,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: "${{ needs.build.outputs.artifact }}" # NOTE: This is 'my-artifact'. @@ -91,9 +91,9 @@ jobs: with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: "${{ needs.build.outputs.artifact }}" PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/${{ needs.build.outputs.artifact }}.build.slsa" # This is defined by the builder. @@ -105,7 +105,7 @@ jobs: needs: [build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -113,5 +113,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'workflow_dispatch' && inputs.trigger_build && (needs.build.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.delegator-generic.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.delegator-generic.workflow_dispatch.main.default.slsa3.yml index bc6e29abb..6fc9e11bf 100644 --- a/.github/workflows/e2e.delegator-generic.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.delegator-generic.workflow_dispatch.main.default.slsa3.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -36,7 +36,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && !inputs.trigger_build)) && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -73,7 +73,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: "${{ needs.build.outputs.artifact }}" # NOTE: This is 'my-artifact'. @@ -81,9 +81,9 @@ jobs: with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: "${{ needs.build.outputs.artifact }}" PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/${{ needs.build.outputs.artifact }}.build.slsa" # This is defined by the builder. @@ -95,7 +95,7 @@ jobs: needs: [build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -103,5 +103,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'workflow_dispatch' && inputs.trigger_build && (needs.build.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.delegator-lowperms.create.main.default.slsa3.yml b/.github/workflows/e2e.delegator-lowperms.create.main.default.slsa3.yml index 664a17780..9606c70d2 100644 --- a/.github/workflows/e2e.delegator-lowperms.create.main.default.slsa3.yml +++ b/.github/workflows/e2e.delegator-lowperms.create.main.default.slsa3.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -34,7 +34,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -70,7 +70,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: slsa-framework/slsa-github-generator/actions/delegator/secure-download-folder@main with: name: "${{ needs.build.outputs.artifact-download-name }}" # NOTE: This is randomized 'my-artifact'. @@ -80,9 +80,9 @@ jobs: with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: # NOTE: We move the artifact because the verification script # check that the subject name matches the filename. @@ -100,7 +100,7 @@ jobs: needs: [build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -108,5 +108,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'create' && startsWith(github.ref, 'refs/tags/v46') && (needs.build.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.delegator-lowperms.push.main.default.slsa3.yml b/.github/workflows/e2e.delegator-lowperms.push.main.default.slsa3.yml index 4645a28b2..ef57e890b 100644 --- a/.github/workflows/e2e.delegator-lowperms.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.delegator-lowperms.push.main.default.slsa3.yml @@ -23,7 +23,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -32,7 +32,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -68,7 +68,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: slsa-framework/slsa-github-generator/actions/delegator/secure-download-folder@main with: name: "${{ needs.build.outputs.artifact-download-name }}" # NOTE: This is randomized 'my-artifact'. @@ -78,9 +78,9 @@ jobs: with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: # NOTE: We move the artifact because the verification script # check that the subject name matches the filename. @@ -98,7 +98,7 @@ jobs: needs: [build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -106,5 +106,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.delegator-lowperms.release.main.default.slsa3.yml b/.github/workflows/e2e.delegator-lowperms.release.main.default.slsa3.yml index 995c4ffa2..b2b018460 100644 --- a/.github/workflows/e2e.delegator-lowperms.release.main.default.slsa3.yml +++ b/.github/workflows/e2e.delegator-lowperms.release.main.default.slsa3.yml @@ -26,7 +26,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -35,7 +35,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -71,7 +71,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: slsa-framework/slsa-github-generator/actions/delegator/secure-download-folder@main with: name: "${{ needs.build.outputs.artifact-download-name }}" # NOTE: This is randomized 'my-artifact'. @@ -81,9 +81,9 @@ jobs: with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: # NOTE: We move the artifact because the verification script # check that the subject name matches the filename. @@ -101,7 +101,7 @@ jobs: needs: [build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -109,5 +109,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'release' && startsWith(github.ref, 'refs/tags/v43') && (needs.build.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.delegator-lowperms.tag.main.default.slsa3.yml b/.github/workflows/e2e.delegator-lowperms.tag.main.default.slsa3.yml index d7b55278e..1e8a9dcc5 100644 --- a/.github/workflows/e2e.delegator-lowperms.tag.main.default.slsa3.yml +++ b/.github/workflows/e2e.delegator-lowperms.tag.main.default.slsa3.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -36,7 +36,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -72,7 +72,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: slsa-framework/slsa-github-generator/actions/delegator/secure-download-folder@main with: name: "${{ needs.build.outputs.artifact-download-name }}" # NOTE: This is randomized 'my-artifact'. @@ -82,9 +82,9 @@ jobs: with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: # NOTE: We move the artifact because the verification script # check that the subject name matches the filename. @@ -102,7 +102,7 @@ jobs: needs: [build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -110,5 +110,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v47') && (needs.build.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.delegator-lowperms.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.delegator-lowperms.workflow_dispatch.main.default.slsa3.yml index dcd374e82..7505a0144 100644 --- a/.github/workflows/e2e.delegator-lowperms.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.delegator-lowperms.workflow_dispatch.main.default.slsa3.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -36,7 +36,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && !inputs.trigger_build)) && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -72,7 +72,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: slsa-framework/slsa-github-generator/actions/delegator/secure-download-folder@main with: name: "${{ needs.build.outputs.artifact-download-name }}" # NOTE: This is randomized 'my-artifact'. @@ -82,9 +82,9 @@ jobs: with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: # NOTE: We move the artifact because the verification script # check that the subject name matches the filename. @@ -102,7 +102,7 @@ jobs: needs: [build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -110,5 +110,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'workflow_dispatch' && inputs.trigger_build && (needs.build.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.gcb.push.main.default.slsa3.yml b/.github/workflows/e2e.gcb.push.main.default.slsa3.yml index 51f22850d..8bc2162ec 100644 --- a/.github/workflows/e2e.gcb.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.gcb.push.main.default.slsa3.yml @@ -35,7 +35,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-push.sh # Retrieve provenance of the latest build. @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: "auth" name: "Authenticate to Google Cloud" uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3 @@ -86,13 +86,13 @@ jobs: needs: provenance runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.provenance.outputs.provenance-name }} - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: CONTAINER: ${{ needs.provenance.outputs.image }} PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} @@ -103,7 +103,7 @@ jobs: needs: [provenance, verify] if: needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -111,5 +111,5 @@ jobs: needs: [provenance, verify] if: always() && needs.provenance.result == 'failure' || needs.verify.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.gcb.tag.main.annotated-build.slsa3.yml b/.github/workflows/e2e.gcb.tag.main.annotated-build.slsa3.yml index 0e588799c..db86c2097 100644 --- a/.github/workflows/e2e.gcb.tag.main.annotated-build.slsa3.yml +++ b/.github/workflows/e2e.gcb.tag.main.annotated-build.slsa3.yml @@ -34,7 +34,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: create run: ./.github/workflows/scripts/e2e-create-release.sh @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: "auth" name: "Authenticate to Google Cloud" uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3 @@ -86,13 +86,13 @@ jobs: needs: provenance runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.provenance.outputs.provenance-name }} - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: CONTAINER: ${{ needs.provenance.outputs.image }} PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} @@ -103,7 +103,7 @@ jobs: needs: [provenance, verify] if: needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -111,5 +111,5 @@ jobs: needs: [provenance, verify] if: always() && needs.provenance.result == 'failure' || needs.verify.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.gcb.workflow_dispatch.main.dockerfile.slsa3.yml b/.github/workflows/e2e.gcb.workflow_dispatch.main.dockerfile.slsa3.yml index a3169406f..341cdda3e 100644 --- a/.github/workflows/e2e.gcb.workflow_dispatch.main.dockerfile.slsa3.yml +++ b/.github/workflows/e2e.gcb.workflow_dispatch.main.dockerfile.slsa3.yml @@ -28,7 +28,7 @@ jobs: actions: write contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-dispatch.sh # Trigger the GCB build @@ -41,7 +41,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: "auth" name: "Authenticate to Google Cloud" uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3 diff --git a/.github/workflows/e2e.generic.push.branch1.default.slsa3.yml b/.github/workflows/e2e.generic.push.branch1.default.slsa3.yml index c32230b51..2ab4f08eb 100644 --- a/.github/workflows/e2e.generic.push.branch1.default.slsa3.yml +++ b/.github/workflows/e2e.generic.push.branch1.default.slsa3.yml @@ -20,7 +20,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-push.sh shim: @@ -29,7 +29,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: | set -euo pipefail @@ -51,7 +51,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Bazelisk uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0 with: @@ -95,16 +95,16 @@ jobs: runs-on: ubuntu-latest if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.provenance.outputs.provenance-name }} - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.binary-name }} PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} @@ -115,7 +115,7 @@ jobs: needs: [shim, build, provenance, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -123,5 +123,5 @@ jobs: needs: [shim, build, provenance, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.push.main.default.slsa3.yml b/.github/workflows/e2e.generic.push.main.default.slsa3.yml index e28479037..2a5f1d930 100644 --- a/.github/workflows/e2e.generic.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.generic.push.main.default.slsa3.yml @@ -20,7 +20,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-push.sh build: @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Bazelisk uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0 with: @@ -76,16 +76,16 @@ jobs: needs: [build, provenance] if: github.event_name == 'push' && github.event.head_commit.message == github.workflow steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.provenance.outputs.provenance-name }} - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.binary-name }} PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} @@ -96,7 +96,7 @@ jobs: needs: [build, provenance, verify] if: github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -104,5 +104,5 @@ jobs: needs: [build, provenance, verify] if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.push.main.upload-tag-name.slsa3.yml b/.github/workflows/e2e.generic.push.main.upload-tag-name.slsa3.yml index d1a04303a..7eadb8302 100644 --- a/.github/workflows/e2e.generic.push.main.upload-tag-name.slsa3.yml +++ b/.github/workflows/e2e.generic.push.main.upload-tag-name.slsa3.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-push.sh build: @@ -39,7 +39,7 @@ jobs: upload-tag-name: ${{ steps.hash.outputs.upload-tag-name }} steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Bazelisk uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0 with: @@ -91,16 +91,16 @@ jobs: needs: [build, provenance] if: github.event_name == 'push' && github.event.head_commit.message == github.workflow steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.provenance.outputs.provenance-name }} - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.binary-name }} PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} @@ -111,7 +111,7 @@ jobs: needs: [build, provenance, verify] if: github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -119,5 +119,5 @@ jobs: needs: [build, provenance, verify] if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.release.main.default.slsa3.yml b/.github/workflows/e2e.generic.release.main.default.slsa3.yml index b4eac9dec..2bbec4617 100644 --- a/.github/workflows/e2e.generic.release.main.default.slsa3.yml +++ b/.github/workflows/e2e.generic.release.main.default.slsa3.yml @@ -24,7 +24,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: create run: ./.github/workflows/scripts/e2e-create-release.sh @@ -34,7 +34,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -47,7 +47,7 @@ jobs: digest: ${{ steps.hash.outputs.digest }} steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Bazelisk uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0 with: @@ -91,16 +91,16 @@ jobs: needs: [shim, build, provenance] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'release' && github.ref_type == 'tag' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.provenance.outputs.provenance-name }} - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.binary-name }} PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} @@ -111,7 +111,7 @@ jobs: needs: [shim, build, provenance, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'release' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -119,5 +119,5 @@ jobs: needs: [shim, build, provenance, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'release' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.schedule.main.adversarial-invalidpath.slsa3.yml b/.github/workflows/e2e.generic.schedule.main.adversarial-invalidpath.slsa3.yml index eb2fc841d..0e9fbcc25 100644 --- a/.github/workflows/e2e.generic.schedule.main.adversarial-invalidpath.slsa3.yml +++ b/.github/workflows/e2e.generic.schedule.main.adversarial-invalidpath.slsa3.yml @@ -61,7 +61,7 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && needs.build.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh if-failed-provenance: @@ -71,7 +71,7 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && needs.build.result == 'success' && needs.provenance.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-succeeded-provenance: @@ -81,5 +81,5 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && needs.build.result == 'success' && needs.provenance.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.schedule.main.adversarial-invalidsubjects.slsa3.yml b/.github/workflows/e2e.generic.schedule.main.adversarial-invalidsubjects.slsa3.yml index 122c26f02..120766a5a 100644 --- a/.github/workflows/e2e.generic.schedule.main.adversarial-invalidsubjects.slsa3.yml +++ b/.github/workflows/e2e.generic.schedule.main.adversarial-invalidsubjects.slsa3.yml @@ -60,7 +60,7 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && needs.build.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh if-failed-provenance: @@ -70,7 +70,7 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && needs.build.result == 'success' && needs.provenance.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-succeeded-provenance: @@ -80,5 +80,5 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && needs.build.result == 'success' && needs.provenance.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.schedule.main.default.slsa3.yml b/.github/workflows/e2e.generic.schedule.main.default.slsa3.yml index 405c64334..bca98a3cd 100644 --- a/.github/workflows/e2e.generic.schedule.main.default.slsa3.yml +++ b/.github/workflows/e2e.generic.schedule.main.default.slsa3.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Bazelisk uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0 with: @@ -62,7 +62,7 @@ jobs: needs: [build, provenance] steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Download binary uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: @@ -72,9 +72,9 @@ jobs: with: name: ${{ needs.provenance.outputs.provenance-name }} - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - name: Verify provenance env: BINARY: ${{ needs.build.outputs.binary-name }} @@ -88,7 +88,7 @@ jobs: # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -98,5 +98,5 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml b/.github/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml index 29ba36686..3cddf53d4 100644 --- a/.github/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml +++ b/.github/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml @@ -60,7 +60,7 @@ jobs: needs: [build, provenance] steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Download binary uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: @@ -70,9 +70,9 @@ jobs: with: name: ${{ needs.provenance.outputs.provenance-name }} - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" # Note: the 3 artifacts share the same provenance file. - name: Verify provenance artifact1 env: @@ -95,15 +95,15 @@ jobs: needs: [build, provenance] steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Download provenance uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.provenance.outputs.provenance-name }} - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - name: Alter artifacts run: | # Altered artifact. @@ -121,7 +121,7 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' && needs.no-verify.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -131,5 +131,5 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure' || needs.no-verify.result == 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.schedule.main.multi-uses.slsa3.yml b/.github/workflows/e2e.generic.schedule.main.multi-uses.slsa3.yml index 9e2cc79d1..93341c229 100644 --- a/.github/workflows/e2e.generic.schedule.main.multi-uses.slsa3.yml +++ b/.github/workflows/e2e.generic.schedule.main.multi-uses.slsa3.yml @@ -57,7 +57,7 @@ jobs: needs: [build-one, provenance-one] steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Download binary uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: @@ -67,9 +67,9 @@ jobs: with: name: ${{ needs.provenance-one.outputs.provenance-name }} - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - name: Verify provenance artifact1 env: BINARY: artifact1 @@ -124,7 +124,7 @@ jobs: needs: [build-two, provenance-two] steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Download binary uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: @@ -134,9 +134,9 @@ jobs: with: name: ${{ needs.provenance-two.outputs.provenance-name }} - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - name: Verify provenance artifact2 env: BINARY: artifact1 @@ -158,7 +158,7 @@ jobs: # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.build-one.result == 'success' && needs.provenance-one.result == 'success' && needs.verify-one.result == 'success' && needs.build-two.result == 'success' && needs.provenance-two.result == 'success' && needs.verify-two.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -176,5 +176,5 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && (needs.build-one.result == 'failure' || needs.provenance-one.result == 'failure' || needs.verify-one.result == 'failure' || needs.build-two.result == 'failure' || needs.provenance-two.result == 'failure' || needs.verify-two.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.schedule.main.provenance-name.slsa3.yml b/.github/workflows/e2e.generic.schedule.main.provenance-name.slsa3.yml index 4cb501f64..c179d4736 100644 --- a/.github/workflows/e2e.generic.schedule.main.provenance-name.slsa3.yml +++ b/.github/workflows/e2e.generic.schedule.main.provenance-name.slsa3.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Bazelisk uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0 with: @@ -63,7 +63,7 @@ jobs: needs: [build, provenance] steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Download binary uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: @@ -73,9 +73,9 @@ jobs: with: name: ${{ needs.provenance.outputs.provenance-name }} - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - name: Verify provenance name env: PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} @@ -95,7 +95,7 @@ jobs: # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -105,5 +105,5 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.tag.branch1.default.slsa3.yml b/.github/workflows/e2e.generic.tag.branch1.default.slsa3.yml index d051db44b..cf250d945 100644 --- a/.github/workflows/e2e.generic.tag.branch1.default.slsa3.yml +++ b/.github/workflows/e2e.generic.tag.branch1.default.slsa3.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: create run: ./.github/workflows/scripts/e2e-create-release.sh @@ -36,7 +36,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -49,7 +49,7 @@ jobs: digest: ${{ steps.hash.outputs.digest }} steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Bazelisk uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0 with: @@ -93,16 +93,16 @@ jobs: needs: [shim, build, provenance] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.provenance.outputs.provenance-name }} - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.binary-name }} PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} @@ -113,7 +113,7 @@ jobs: needs: [shim, build, provenance, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -121,5 +121,5 @@ jobs: needs: [shim, build, provenance, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.tag.main.annotated.slsa3.yml b/.github/workflows/e2e.generic.tag.main.annotated.slsa3.yml index 4b577beba..7b5991796 100644 --- a/.github/workflows/e2e.generic.tag.main.annotated.slsa3.yml +++ b/.github/workflows/e2e.generic.tag.main.annotated.slsa3.yml @@ -22,7 +22,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: create run: ./.github/workflows/scripts/e2e-create-release.sh @@ -32,7 +32,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -82,16 +82,16 @@ jobs: needs: [shim, build, provenance] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: artifact1 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.provenance.outputs.provenance-name }} - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: artifact1 PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} @@ -102,7 +102,7 @@ jobs: needs: [shim, build, provenance, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -110,5 +110,5 @@ jobs: needs: [shim, build, provenance, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.tag.main.assets.slsa3.yml b/.github/workflows/e2e.generic.tag.main.assets.slsa3.yml index b5356842f..64a9d3aa1 100644 --- a/.github/workflows/e2e.generic.tag.main.assets.slsa3.yml +++ b/.github/workflows/e2e.generic.tag.main.assets.slsa3.yml @@ -22,7 +22,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: create run: ./.github/workflows/scripts/e2e-create-release.sh @@ -32,7 +32,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -45,7 +45,7 @@ jobs: digest: ${{ steps.hash.outputs.digest }} steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Bazelisk uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0 with: @@ -90,16 +90,16 @@ jobs: needs: [shim, build, provenance] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.provenance.outputs.provenance-name }} - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.binary-name }} PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} @@ -110,7 +110,7 @@ jobs: needs: [shim, build, provenance, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -118,5 +118,5 @@ jobs: needs: [shim, build, provenance, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.tag.main.goreleaser-assets-multi-subjects.slsa3.yml b/.github/workflows/e2e.generic.tag.main.goreleaser-assets-multi-subjects.slsa3.yml index cb6005f61..71abfa252 100644 --- a/.github/workflows/e2e.generic.tag.main.goreleaser-assets-multi-subjects.slsa3.yml +++ b/.github/workflows/e2e.generic.tag.main.goreleaser-assets-multi-subjects.slsa3.yml @@ -22,7 +22,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: create run: ./.github/workflows/scripts/e2e-create-release.sh @@ -32,7 +32,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -46,7 +46,7 @@ jobs: hashes: ${{ steps.hash.outputs.hashes }} steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Generate version flags id: args run: | @@ -61,7 +61,7 @@ jobs: - name: Run GoReleaser id: run-goreleaser - uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1 + uses: goreleaser/goreleaser-action@f06c13b6b1a9625abc9e6e439d9c05a8f2190e94 # v7.2.3 with: version: latest args: release --clean @@ -99,12 +99,12 @@ jobs: needs: [shim, build, provenance] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Download assets run: gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: CHECKSUMS_B64: ${{ needs.build.outputs.hashes }} PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} @@ -122,7 +122,7 @@ jobs: needs: [shim, build, provenance, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -130,5 +130,5 @@ jobs: needs: [shim, build, provenance, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.workflow_dispatch.branch1.default.slsa3.yml b/.github/workflows/e2e.generic.workflow_dispatch.branch1.default.slsa3.yml index ab32a6f4a..3d3da8bce 100644 --- a/.github/workflows/e2e.generic.workflow_dispatch.branch1.default.slsa3.yml +++ b/.github/workflows/e2e.generic.workflow_dispatch.branch1.default.slsa3.yml @@ -23,7 +23,7 @@ jobs: actions: write contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-dispatch.sh build: @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Bazelisk uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0 with: @@ -78,16 +78,16 @@ jobs: needs: [build, provenance] if: github.event_name == 'workflow_dispatch' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.provenance.outputs.provenance-name }} - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.binary-name }} PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} @@ -98,7 +98,7 @@ jobs: needs: [build, provenance, verify] if: github.event_name == 'workflow_dispatch' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -106,5 +106,5 @@ jobs: needs: [build, provenance, verify] if: always() && github.event_name == 'workflow_dispatch' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml b/.github/workflows/e2e.generic.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml index c3fae17fb..d28bc4384 100644 --- a/.github/workflows/e2e.generic.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml +++ b/.github/workflows/e2e.generic.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml @@ -41,7 +41,7 @@ jobs: needs: [provenance] if: needs.provenance.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: | set -euo pipefail diff --git a/.github/workflows/e2e.generic.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml b/.github/workflows/e2e.generic.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml index eca97a0c7..dc6618c6a 100644 --- a/.github/workflows/e2e.generic.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml +++ b/.github/workflows/e2e.generic.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml @@ -45,7 +45,7 @@ jobs: needs: [provenance] if: needs.provenance.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: | set -euo pipefail diff --git a/.github/workflows/e2e.generic.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.generic.workflow_dispatch.main.default.slsa3.yml index b615defe0..7d5ce5160 100644 --- a/.github/workflows/e2e.generic.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.generic.workflow_dispatch.main.default.slsa3.yml @@ -19,7 +19,7 @@ jobs: actions: write contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-dispatch.sh build: @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Bazelisk uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0 with: @@ -74,16 +74,16 @@ jobs: needs: [build, provenance] if: github.event_name == 'workflow_dispatch' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.provenance.outputs.provenance-name }} - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.binary-name }} PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} @@ -94,7 +94,7 @@ jobs: needs: [build, provenance, verify] if: github.event_name == 'workflow_dispatch' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -102,5 +102,5 @@ jobs: needs: [build, provenance, verify] if: always() && github.event_name == 'workflow_dispatch' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.workflow_dispatch.main.large-subjects-adversarial-format.slsa3.yml b/.github/workflows/e2e.generic.workflow_dispatch.main.large-subjects-adversarial-format.slsa3.yml index 947792d0a..15630406b 100644 --- a/.github/workflows/e2e.generic.workflow_dispatch.main.large-subjects-adversarial-format.slsa3.yml +++ b/.github/workflows/e2e.generic.workflow_dispatch.main.large-subjects-adversarial-format.slsa3.yml @@ -19,7 +19,7 @@ jobs: actions: write contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-dispatch.sh build: @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Build artifact id: build run: | @@ -89,7 +89,7 @@ jobs: needs: [build] if: always() && github.event_name == 'workflow_dispatch' && needs.build.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh if-provenance-succeeded: @@ -98,7 +98,7 @@ jobs: # WARNING: This must only contain success statements. if: github.event_name == 'workflow_dispatch' && needs.provenance.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh if-provenance-failed: @@ -106,5 +106,5 @@ jobs: needs: [build, provenance] if: always() && github.event_name == 'workflow_dispatch' && needs.provenance.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh diff --git a/.github/workflows/e2e.generic.workflow_dispatch.main.large-subjects-adversarial-sha256.slsa3.yml b/.github/workflows/e2e.generic.workflow_dispatch.main.large-subjects-adversarial-sha256.slsa3.yml index 9a1a96bed..607be099a 100644 --- a/.github/workflows/e2e.generic.workflow_dispatch.main.large-subjects-adversarial-sha256.slsa3.yml +++ b/.github/workflows/e2e.generic.workflow_dispatch.main.large-subjects-adversarial-sha256.slsa3.yml @@ -19,7 +19,7 @@ jobs: actions: write contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-dispatch.sh build: @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Build artifact id: build run: | @@ -90,7 +90,7 @@ jobs: needs: [build] if: always() && github.event_name == 'workflow_dispatch' && needs.build.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh if-provenance-succeeded: @@ -99,7 +99,7 @@ jobs: # WARNING: This must only contain success statements. if: github.event_name == 'workflow_dispatch' && needs.provenance.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh if-provenance-failed: @@ -107,5 +107,5 @@ jobs: needs: [build, provenance] if: always() && github.event_name == 'workflow_dispatch' && needs.provenance.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh diff --git a/.github/workflows/e2e.generic.workflow_dispatch.main.large-subjects.slsa3.yml b/.github/workflows/e2e.generic.workflow_dispatch.main.large-subjects.slsa3.yml index 9a3d27831..02497bb2c 100644 --- a/.github/workflows/e2e.generic.workflow_dispatch.main.large-subjects.slsa3.yml +++ b/.github/workflows/e2e.generic.workflow_dispatch.main.large-subjects.slsa3.yml @@ -19,7 +19,7 @@ jobs: actions: write contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-dispatch.sh build: @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Build artifact id: build run: | @@ -88,16 +88,16 @@ jobs: needs: [build, provenance] if: github.event_name == 'workflow_dispatch' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.provenance.outputs.provenance-name }} - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.binary-name }} PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} @@ -108,7 +108,7 @@ jobs: needs: [build, provenance, verify] if: github.event_name == 'workflow_dispatch' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -116,5 +116,5 @@ jobs: needs: [build, provenance, verify] if: always() && github.event_name == 'workflow_dispatch' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.workflow_dispatch.main.tagname.slsa3.yml b/.github/workflows/e2e.generic.workflow_dispatch.main.tagname.slsa3.yml index 2aba82b4b..ea08a7b4c 100644 --- a/.github/workflows/e2e.generic.workflow_dispatch.main.tagname.slsa3.yml +++ b/.github/workflows/e2e.generic.workflow_dispatch.main.tagname.slsa3.yml @@ -23,7 +23,7 @@ jobs: outputs: tag: ${{ steps.create.outputs.tag }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: create run: ./.github/workflows/scripts/e2e-create-release.sh @@ -76,7 +76,7 @@ jobs: TAG: ${{ needs.release.outputs.tag }} steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Download binary uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: @@ -84,9 +84,9 @@ jobs: - name: Download provenance run: gh release download "$TAG" -p "$PROVENANCE" - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - name: Verify provenance artifact1 env: BINARY: artifact1 @@ -98,7 +98,7 @@ jobs: needs: [release, build, provenance, verify] if: needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -106,5 +106,5 @@ jobs: needs: [release, build, provenance, verify] if: always() && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.workflow_dispatch.main.workflow_inputs.slsa3.yml b/.github/workflows/e2e.generic.workflow_dispatch.main.workflow_inputs.slsa3.yml index 5b8385c5d..1a3be57f2 100644 --- a/.github/workflows/e2e.generic.workflow_dispatch.main.workflow_inputs.slsa3.yml +++ b/.github/workflows/e2e.generic.workflow_dispatch.main.workflow_inputs.slsa3.yml @@ -24,7 +24,7 @@ jobs: actions: write contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-dispatch.sh build: @@ -35,7 +35,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Bazelisk uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0 with: @@ -79,16 +79,16 @@ jobs: needs: [build, provenance] if: github.event_name == 'workflow_dispatch' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.provenance.outputs.provenance-name }} - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.binary-name }} PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} @@ -99,7 +99,7 @@ jobs: needs: [build, provenance, verify] if: github.event_name == 'workflow_dispatch' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -107,5 +107,5 @@ jobs: needs: [build, provenance, verify] if: always() && github.event_name == 'workflow_dispatch' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.push.branch1.config-ldflags.slsa3.yml b/.github/workflows/e2e.go.push.branch1.config-ldflags.slsa3.yml index 9849ba386..b900c81f6 100644 --- a/.github/workflows/e2e.go.push.branch1.config-ldflags.slsa3.yml +++ b/.github/workflows/e2e.go.push.branch1.config-ldflags.slsa3.yml @@ -23,7 +23,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: | set -euo pipefail @@ -35,7 +35,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: | set -euo pipefail @@ -56,7 +56,7 @@ jobs: branch: ${{ steps.ldflags.outputs.branch }} steps: - id: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 - id: ldflags @@ -98,16 +98,16 @@ jobs: needs: [shim, build] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -120,7 +120,7 @@ jobs: needs: [shim, build, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -128,5 +128,5 @@ jobs: needs: [shim, build, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.push.main.config-ldflags.slsa3.yml b/.github/workflows/e2e.go.push.main.config-ldflags.slsa3.yml index 24f9e189a..790fa109b 100644 --- a/.github/workflows/e2e.go.push.main.config-ldflags.slsa3.yml +++ b/.github/workflows/e2e.go.push.main.config-ldflags.slsa3.yml @@ -22,7 +22,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-push.sh args: @@ -34,7 +34,7 @@ jobs: branch: ${{ steps.ldflags.outputs.branch }} steps: - id: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 - id: ldflags @@ -69,16 +69,16 @@ jobs: needs: build if: github.event_name == 'push' && github.event.head_commit.message == github.workflow steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -91,7 +91,7 @@ jobs: needs: [build, verify] if: github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -99,5 +99,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.push.main.config-noldflags.slsa3.yml b/.github/workflows/e2e.go.push.main.config-noldflags.slsa3.yml index bf93f327b..135232701 100644 --- a/.github/workflows/e2e.go.push.main.config-noldflags.slsa3.yml +++ b/.github/workflows/e2e.go.push.main.config-noldflags.slsa3.yml @@ -22,7 +22,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-push.sh # TODO: support multiple config files. @@ -44,16 +44,16 @@ jobs: needs: build if: github.event_name == 'push' && github.event.head_commit.message == github.workflow steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -66,7 +66,7 @@ jobs: needs: [build, verify] if: github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -74,5 +74,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.release.main.config-ldflags-assets-tag.slsa3.yml b/.github/workflows/e2e.go.release.main.config-ldflags-assets-tag.slsa3.yml index 268f53a1d..00771b683 100644 --- a/.github/workflows/e2e.go.release.main.config-ldflags-assets-tag.slsa3.yml +++ b/.github/workflows/e2e.go.release.main.config-ldflags-assets-tag.slsa3.yml @@ -23,7 +23,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: create run: | set -euo pipefail @@ -36,7 +36,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: | set -euo pipefail @@ -53,7 +53,7 @@ jobs: branch: ${{ steps.ldflags.outputs.branch }} steps: - id: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 - id: ldflags @@ -95,16 +95,16 @@ jobs: needs: [shim, build] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'release' && github.ref_type == 'tag' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -120,7 +120,7 @@ jobs: needs: [shim, build, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'release' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: | set -euo pipefail @@ -131,7 +131,7 @@ jobs: needs: [shim, build, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'release' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: | set -euo pipefail diff --git a/.github/workflows/e2e.go.release.main.config-ldflags-assets.slsa3.yml b/.github/workflows/e2e.go.release.main.config-ldflags-assets.slsa3.yml index 7d61cf25c..ac83c7106 100644 --- a/.github/workflows/e2e.go.release.main.config-ldflags-assets.slsa3.yml +++ b/.github/workflows/e2e.go.release.main.config-ldflags-assets.slsa3.yml @@ -23,7 +23,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: create run: | set -euo pipefail @@ -36,7 +36,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: | set -euo pipefail @@ -53,7 +53,7 @@ jobs: branch: ${{ steps.ldflags.outputs.branch }} steps: - id: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 - id: ldflags @@ -95,16 +95,16 @@ jobs: needs: [shim, build] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'release' && github.ref_type == 'tag' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -117,7 +117,7 @@ jobs: needs: [shim, build, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'release' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -125,5 +125,5 @@ jobs: needs: [shim, build, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'release' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.release.main.config-ldflags-noassets.slsa3.yml b/.github/workflows/e2e.go.release.main.config-ldflags-noassets.slsa3.yml index c243ee83a..0166e7ec5 100644 --- a/.github/workflows/e2e.go.release.main.config-ldflags-noassets.slsa3.yml +++ b/.github/workflows/e2e.go.release.main.config-ldflags-noassets.slsa3.yml @@ -23,7 +23,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: create run: ./.github/workflows/scripts/e2e-create-release.sh @@ -33,7 +33,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -47,7 +47,7 @@ jobs: branch: ${{ steps.ldflags.outputs.branch }} steps: - id: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 - id: ldflags @@ -82,16 +82,16 @@ jobs: needs: [shim, build] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'release' && github.ref_type == 'tag' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -104,7 +104,7 @@ jobs: needs: [shim, build, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'release' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -112,5 +112,5 @@ jobs: needs: [shim, build, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'release' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.schedule.main.adversarial-binary-upload.slsa3.yml b/.github/workflows/e2e.go.schedule.main.adversarial-binary-upload.slsa3.yml index 5b9b34685..cfcfc1923 100644 --- a/.github/workflows/e2e.go.schedule.main.adversarial-binary-upload.slsa3.yml +++ b/.github/workflows/e2e.go.schedule.main.adversarial-binary-upload.slsa3.yml @@ -19,7 +19,7 @@ jobs: binary-upload-tamper: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: ./.github/actions/tamper-artifact-new with: artifact-prefix: slsa-builder-go-linux-amd64 @@ -52,7 +52,7 @@ jobs: # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.build.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: | set -euo pipefail @@ -66,7 +66,7 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && needs.build.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: | set -euo pipefail diff --git a/.github/workflows/e2e.go.schedule.main.adversarial-build-provenance.slsa3.yml b/.github/workflows/e2e.go.schedule.main.adversarial-build-provenance.slsa3.yml index 8b51cca80..b36cf1b95 100644 --- a/.github/workflows/e2e.go.schedule.main.adversarial-build-provenance.slsa3.yml +++ b/.github/workflows/e2e.go.schedule.main.adversarial-build-provenance.slsa3.yml @@ -19,7 +19,7 @@ jobs: build-provenance-tamper: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: ./.github/actions/tamper-artifact-new with: # Note: pretty hard to time correctly in practice. Often times the build part will fail instead. @@ -54,7 +54,7 @@ jobs: # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.build.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # The builder should fail if the builder is tampered with. - run: ./.github/workflows/scripts/e2e-report-failure.sh @@ -65,6 +65,6 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && needs.build.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # The builder should fail if the builder is tampered with. - run: ./.github/workflows/scripts/e2e-report-success.sh diff --git a/.github/workflows/e2e.go.schedule.main.adversarial-build.slsa3.yml b/.github/workflows/e2e.go.schedule.main.adversarial-build.slsa3.yml index 50e2483bd..1ef383589 100644 --- a/.github/workflows/e2e.go.schedule.main.adversarial-build.slsa3.yml +++ b/.github/workflows/e2e.go.schedule.main.adversarial-build.slsa3.yml @@ -19,7 +19,7 @@ jobs: build-tamper: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Note: build-dry and build should fail. It's hard to tell which failed, # but they both should. It's good enough to verify that the re-usable workflow always fails. - uses: ./.github/actions/tamper-artifact-new @@ -54,7 +54,7 @@ jobs: # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.build.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # The builder should fail if the builder is tampered with. - run: ./.github/workflows/scripts/e2e-report-failure.sh @@ -65,6 +65,6 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && needs.build.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # The builder should fail if the builder is tampered with. - run: ./.github/workflows/scripts/e2e-report-success.sh diff --git a/.github/workflows/e2e.go.schedule.main.adversarial-invalidpath.yml b/.github/workflows/e2e.go.schedule.main.adversarial-invalidpath.yml index 15b250d3c..2f173e523 100644 --- a/.github/workflows/e2e.go.schedule.main.adversarial-invalidpath.yml +++ b/.github/workflows/e2e.go.schedule.main.adversarial-invalidpath.yml @@ -40,7 +40,7 @@ jobs: # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.build.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh if-failed: @@ -50,5 +50,5 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && needs.build.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh diff --git a/.github/workflows/e2e.go.schedule.main.config-ldflags-main-dir.slsa3.yml b/.github/workflows/e2e.go.schedule.main.config-ldflags-main-dir.slsa3.yml index 0af7f67ca..7debee04d 100644 --- a/.github/workflows/e2e.go.schedule.main.config-ldflags-main-dir.slsa3.yml +++ b/.github/workflows/e2e.go.schedule.main.config-ldflags-main-dir.slsa3.yml @@ -25,7 +25,7 @@ jobs: main: ${{ steps.ldflags.outputs.main }} steps: - id: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 - id: ldflags @@ -67,16 +67,16 @@ jobs: runs-on: ubuntu-latest needs: build steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.go-binary-name }} PROVENANCE: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl @@ -89,7 +89,7 @@ jobs: # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -99,5 +99,5 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.schedule.main.config-ldflags-main.slsa3.yml b/.github/workflows/e2e.go.schedule.main.config-ldflags-main.slsa3.yml index 32a66ed62..6f4296a5a 100644 --- a/.github/workflows/e2e.go.schedule.main.config-ldflags-main.slsa3.yml +++ b/.github/workflows/e2e.go.schedule.main.config-ldflags-main.slsa3.yml @@ -24,7 +24,7 @@ jobs: main: ${{ steps.ldflags.outputs.main }} steps: - id: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 - id: ldflags @@ -59,16 +59,16 @@ jobs: runs-on: ubuntu-latest needs: build steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -83,7 +83,7 @@ jobs: # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -93,5 +93,5 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.schedule.main.config-noldflags.slsa3.yml b/.github/workflows/e2e.go.schedule.main.config-noldflags.slsa3.yml index e60b8647d..9afc51443 100644 --- a/.github/workflows/e2e.go.schedule.main.config-noldflags.slsa3.yml +++ b/.github/workflows/e2e.go.schedule.main.config-noldflags.slsa3.yml @@ -31,16 +31,16 @@ jobs: runs-on: ubuntu-latest needs: build steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -55,7 +55,7 @@ jobs: # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -65,5 +65,5 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.schedule.main.noldflags-multi-uses.slsa3.yml b/.github/workflows/e2e.go.schedule.main.noldflags-multi-uses.slsa3.yml index 5b970feb9..aa21da7ec 100644 --- a/.github/workflows/e2e.go.schedule.main.noldflags-multi-uses.slsa3.yml +++ b/.github/workflows/e2e.go.schedule.main.noldflags-multi-uses.slsa3.yml @@ -31,16 +31,16 @@ jobs: runs-on: ubuntu-latest needs: build-one steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build-one.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build-one.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build-one.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -53,7 +53,7 @@ jobs: needs: [build-one, verify-one] if: needs.build-one.result == 'success' && needs.verify-one.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed-one: @@ -61,7 +61,7 @@ jobs: needs: [build-one, verify-one] if: always() && (needs.build-one.result == 'failure' || needs.verify-one.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh build-two: @@ -80,16 +80,16 @@ jobs: runs-on: ubuntu-latest needs: build-two steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build-two.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build-two.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build-two.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -104,7 +104,7 @@ jobs: # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.build-two.result == 'success' && needs.verify-two.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed-two: @@ -114,5 +114,5 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && (needs.build-two.result == 'failure' || needs.verify-two.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.tag.branch1.config-ldflags-assets.slsa3.yml b/.github/workflows/e2e.go.tag.branch1.config-ldflags-assets.slsa3.yml index 9c612701c..d8f9718bb 100644 --- a/.github/workflows/e2e.go.tag.branch1.config-ldflags-assets.slsa3.yml +++ b/.github/workflows/e2e.go.tag.branch1.config-ldflags-assets.slsa3.yml @@ -24,7 +24,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-create-release.sh shim: @@ -33,7 +33,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -47,7 +47,7 @@ jobs: branch: ${{ steps.ldflags.outputs.branch }} steps: - id: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 - id: ldflags @@ -82,16 +82,16 @@ jobs: needs: [shim, build] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -104,7 +104,7 @@ jobs: needs: [shim, build, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -112,5 +112,5 @@ jobs: needs: [shim, build, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.tag.main.adversarial-asset-binary.slsa3.yml b/.github/workflows/e2e.go.tag.main.adversarial-asset-binary.slsa3.yml index fc3627a0c..65f48d00a 100644 --- a/.github/workflows/e2e.go.tag.main.adversarial-asset-binary.slsa3.yml +++ b/.github/workflows/e2e.go.tag.main.adversarial-asset-binary.slsa3.yml @@ -26,7 +26,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: create run: ./.github/workflows/scripts/e2e-create-release.sh @@ -36,7 +36,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -45,7 +45,7 @@ jobs: if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: ./.github/actions/tamper-artifact-new with: artifact-name: binary-linux-amd64 @@ -63,7 +63,7 @@ jobs: branch: ${{ steps.ldflags.outputs.branch }} steps: - id: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 - id: ldflags @@ -98,7 +98,7 @@ jobs: needs: [shim, build] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh if-failed: @@ -106,5 +106,5 @@ jobs: needs: [shim, build] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh diff --git a/.github/workflows/e2e.go.tag.main.adversarial-asset-provenance.slsa3.yml b/.github/workflows/e2e.go.tag.main.adversarial-asset-provenance.slsa3.yml index 1e7821455..e8a5390e7 100644 --- a/.github/workflows/e2e.go.tag.main.adversarial-asset-provenance.slsa3.yml +++ b/.github/workflows/e2e.go.tag.main.adversarial-asset-provenance.slsa3.yml @@ -26,7 +26,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: create run: | set -euo pipefail @@ -39,7 +39,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: | set -euo pipefail @@ -51,7 +51,7 @@ jobs: if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: ./.github/actions/tamper-artifact-new with: artifact-name: binary-linux-amd64.intoto.jsonl @@ -69,7 +69,7 @@ jobs: branch: ${{ steps.ldflags.outputs.branch }} steps: - id: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 - id: ldflags @@ -111,7 +111,7 @@ jobs: needs: [shim, build] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: | set -euo pipefail @@ -122,7 +122,7 @@ jobs: needs: [shim, build] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: | set -euo pipefail diff --git a/.github/workflows/e2e.go.tag.main.config-ldflags-assets-draft-tag.slsa3.yml b/.github/workflows/e2e.go.tag.main.config-ldflags-assets-draft-tag.slsa3.yml index c4796ef2f..85dc01a45 100644 --- a/.github/workflows/e2e.go.tag.main.config-ldflags-assets-draft-tag.slsa3.yml +++ b/.github/workflows/e2e.go.tag.main.config-ldflags-assets-draft-tag.slsa3.yml @@ -26,7 +26,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: create # Push a new tag rather than a creating a release since creating draft # releases don't create tags and don't trigger workflows. @@ -38,7 +38,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -52,7 +52,7 @@ jobs: branch: ${{ steps.ldflags.outputs.branch }} steps: - id: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 - id: ldflags @@ -91,16 +91,16 @@ jobs: contents: write # Allows github token to read draft releases. if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -113,7 +113,7 @@ jobs: needs: [shim, build, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -121,5 +121,5 @@ jobs: needs: [shim, build, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.tag.main.config-ldflags-assets-prerelease-tag.slsa3.yml b/.github/workflows/e2e.go.tag.main.config-ldflags-assets-prerelease-tag.slsa3.yml index 5d3d5379c..6f7e7c7e5 100644 --- a/.github/workflows/e2e.go.tag.main.config-ldflags-assets-prerelease-tag.slsa3.yml +++ b/.github/workflows/e2e.go.tag.main.config-ldflags-assets-prerelease-tag.slsa3.yml @@ -24,7 +24,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: create run: | set -euo pipefail @@ -37,7 +37,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: | set -euo pipefail @@ -54,7 +54,7 @@ jobs: branch: ${{ steps.ldflags.outputs.branch }} steps: - id: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 - id: ldflags @@ -97,16 +97,16 @@ jobs: needs: [shim, build] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -119,7 +119,7 @@ jobs: needs: [shim, build, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -127,5 +127,5 @@ jobs: needs: [shim, build, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.tag.main.config-ldflags-assets-tag.slsa3.yml b/.github/workflows/e2e.go.tag.main.config-ldflags-assets-tag.slsa3.yml index e6dec50a7..9a53a6dc0 100644 --- a/.github/workflows/e2e.go.tag.main.config-ldflags-assets-tag.slsa3.yml +++ b/.github/workflows/e2e.go.tag.main.config-ldflags-assets-tag.slsa3.yml @@ -24,7 +24,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: create run: | set -euo pipefail @@ -37,7 +37,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: | set -euo pipefail @@ -54,7 +54,7 @@ jobs: branch: ${{ steps.ldflags.outputs.branch }} steps: - id: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 - id: ldflags @@ -96,16 +96,16 @@ jobs: needs: [shim, build] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -118,7 +118,7 @@ jobs: needs: [shim, build, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -126,5 +126,5 @@ jobs: needs: [shim, build, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.tag.main.config-ldflags-assets.slsa3.yml b/.github/workflows/e2e.go.tag.main.config-ldflags-assets.slsa3.yml index 196469770..57c2e9b18 100644 --- a/.github/workflows/e2e.go.tag.main.config-ldflags-assets.slsa3.yml +++ b/.github/workflows/e2e.go.tag.main.config-ldflags-assets.slsa3.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: create run: ./.github/workflows/scripts/e2e-create-release.sh @@ -35,7 +35,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -49,7 +49,7 @@ jobs: branch: ${{ steps.ldflags.outputs.branch }} steps: - id: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 - id: ldflags @@ -84,16 +84,16 @@ jobs: needs: [shim, build] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -106,7 +106,7 @@ jobs: needs: [shim, build, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -114,5 +114,5 @@ jobs: needs: [shim, build, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.tag.main.config-ldflags-noassets.slsa3.yml b/.github/workflows/e2e.go.tag.main.config-ldflags-noassets.slsa3.yml index 6f94957b5..a4f43d073 100644 --- a/.github/workflows/e2e.go.tag.main.config-ldflags-noassets.slsa3.yml +++ b/.github/workflows/e2e.go.tag.main.config-ldflags-noassets.slsa3.yml @@ -24,7 +24,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: create run: ./.github/workflows/scripts/e2e-create-release.sh @@ -34,7 +34,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -48,7 +48,7 @@ jobs: branch: ${{ steps.ldflags.outputs.branch }} steps: - id: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 - id: ldflags @@ -83,16 +83,16 @@ jobs: needs: [shim, build] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -105,7 +105,7 @@ jobs: needs: [shim, build, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -113,5 +113,5 @@ jobs: needs: [shim, build, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.workflow_dispatch.branch1.config-ldflags.slsa3.yml b/.github/workflows/e2e.go.workflow_dispatch.branch1.config-ldflags.slsa3.yml index 519a4f6f3..bd7b78e3b 100644 --- a/.github/workflows/e2e.go.workflow_dispatch.branch1.config-ldflags.slsa3.yml +++ b/.github/workflows/e2e.go.workflow_dispatch.branch1.config-ldflags.slsa3.yml @@ -22,7 +22,7 @@ jobs: # WARNING: need `github.ref_name == 'main'` to avoid infinite loop when triggering manually. if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.ref_name == 'main') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-dispatch.sh shim: @@ -31,7 +31,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify env: REF_NAME: ${{ github.ref_name }} @@ -54,7 +54,7 @@ jobs: branch: ${{ steps.ldflags.outputs.branch }} steps: - id: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 - id: ldflags @@ -89,16 +89,16 @@ jobs: needs: [shim, build] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'workflow_dispatch' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -111,7 +111,7 @@ jobs: needs: [shim, build, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'workflow_dispatch' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -119,5 +119,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'workflow_dispatch' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml b/.github/workflows/e2e.go.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml index eb7a4de39..55fee2a7a 100644 --- a/.github/workflows/e2e.go.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml +++ b/.github/workflows/e2e.go.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml @@ -21,7 +21,7 @@ jobs: needs: [build] if: needs.build.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: | set -euo pipefail diff --git a/.github/workflows/e2e.go.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml b/.github/workflows/e2e.go.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml index c33547cfa..bdb3d9033 100644 --- a/.github/workflows/e2e.go.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml +++ b/.github/workflows/e2e.go.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml @@ -25,7 +25,7 @@ jobs: needs: [build] if: needs.build.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: | set -euo pipefail diff --git a/.github/workflows/e2e.go.workflow_dispatch.main.config-noldflags.slsa3.yml b/.github/workflows/e2e.go.workflow_dispatch.main.config-noldflags.slsa3.yml index ed96a5c4e..82b6c054f 100644 --- a/.github/workflows/e2e.go.workflow_dispatch.main.config-noldflags.slsa3.yml +++ b/.github/workflows/e2e.go.workflow_dispatch.main.config-noldflags.slsa3.yml @@ -21,7 +21,7 @@ jobs: actions: write contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-dispatch.sh # TODO: support multiple config files. @@ -43,16 +43,16 @@ jobs: needs: build if: github.event_name == 'workflow_dispatch' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -68,7 +68,7 @@ jobs: needs: [build, verify] if: github.event_name == 'workflow_dispatch' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -76,5 +76,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'workflow_dispatch' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.workflow_dispatch.main.tagname-noldflags.slsa3.yml b/.github/workflows/e2e.go.workflow_dispatch.main.tagname-noldflags.slsa3.yml index 1eba21495..092b667c8 100644 --- a/.github/workflows/e2e.go.workflow_dispatch.main.tagname-noldflags.slsa3.yml +++ b/.github/workflows/e2e.go.workflow_dispatch.main.tagname-noldflags.slsa3.yml @@ -22,7 +22,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: create run: ./.github/workflows/scripts/e2e-create-release.sh @@ -45,7 +45,7 @@ jobs: runs-on: ubuntu-latest needs: [release, build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }} @@ -54,9 +54,9 @@ jobs: PROVENANCE: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl TAG: ${{ needs.release.outputs.tag }} run: gh release download "$TAG" -p "$PROVENANCE" - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -69,7 +69,7 @@ jobs: needs: [release, build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -77,5 +77,5 @@ jobs: needs: [release, build, verify] if: always() && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.workflow_dispatch.main.workflow_inputs-noldflags.slsa3.yml b/.github/workflows/e2e.go.workflow_dispatch.main.workflow_inputs-noldflags.slsa3.yml index a62362852..c15002d54 100644 --- a/.github/workflows/e2e.go.workflow_dispatch.main.workflow_inputs-noldflags.slsa3.yml +++ b/.github/workflows/e2e.go.workflow_dispatch.main.workflow_inputs-noldflags.slsa3.yml @@ -26,7 +26,7 @@ jobs: actions: write contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: | set -euo pipefail @@ -51,16 +51,16 @@ jobs: needs: build if: github.event_name == 'workflow_dispatch' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: BINARY: ${{ needs.build.outputs.go-binary-name }} # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`, @@ -73,7 +73,7 @@ jobs: needs: [build, verify] if: github.event_name == 'workflow_dispatch' && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -81,5 +81,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'workflow_dispatch' && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.gradle.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.gradle.workflow_dispatch.main.default.slsa3.yml index 3ea30bf29..e3dd357e3 100644 --- a/.github/workflows/e2e.gradle.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.gradle.workflow_dispatch.main.default.slsa3.yml @@ -28,7 +28,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - env: PACKAGE_DIR: ./e2e/gradle/workflow_dispatch run: ./.github/workflows/scripts/e2e-gradle-push.sh @@ -38,7 +38,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && !inputs.trigger_build)) && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -70,7 +70,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: slsa-framework/slsa-github-generator/actions/gradle/secure-download-attestations@main with: name: "${{ needs.build.outputs.provenance-download-name }}" @@ -82,9 +82,9 @@ jobs: sha256: "${{ needs.build.outputs.build-download-sha256 }}" path: ./ # NOTE: To build slsa-verifier in e2e.gradle.default.verify.sh - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: PROVENANCE_DIR: "slsa-attestations/${{ needs.build.outputs.provenance-download-name }}" EXPECTED_ARTIFACT_OUTPUT: "Hello world!" @@ -96,7 +96,7 @@ jobs: needs: [build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -104,5 +104,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'workflow_dispatch' && inputs.trigger_build && (needs.build.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.gradle.workflow_dispatch.main.project-at-repo-root.slsa3.yml b/.github/workflows/e2e.gradle.workflow_dispatch.main.project-at-repo-root.slsa3.yml index dd9e96dc5..4e2aef417 100644 --- a/.github/workflows/e2e.gradle.workflow_dispatch.main.project-at-repo-root.slsa3.yml +++ b/.github/workflows/e2e.gradle.workflow_dispatch.main.project-at-repo-root.slsa3.yml @@ -28,7 +28,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - env: PACKAGE_DIR: ./ run: ./.github/workflows/scripts/e2e-gradle-push.sh @@ -38,7 +38,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && !inputs.trigger_build)) && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -70,7 +70,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: slsa-framework/slsa-github-generator/actions/gradle/secure-download-attestations@main with: name: "${{ needs.build.outputs.provenance-download-name }}" @@ -82,9 +82,9 @@ jobs: sha256: "${{ needs.build.outputs.build-download-sha256 }}" path: ./ # NOTE: To build slsa-verifier in e2e.gradle.default.verify.sh - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: PROVENANCE_DIR: "slsa-attestations/${{ needs.build.outputs.provenance-download-name }}" EXPECTED_ARTIFACT_OUTPUT: "Hello world!" @@ -96,7 +96,7 @@ jobs: needs: [build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -104,5 +104,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'workflow_dispatch' && inputs.trigger_build && (needs.build.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.installer-action.yml b/.github/workflows/e2e.installer-action.yml index 48fca4c3b..f2ff41ce7 100644 --- a/.github/workflows/e2e.installer-action.yml +++ b/.github/workflows/e2e.installer-action.yml @@ -40,7 +40,7 @@ jobs: needs: [installer] if: needs.installer.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -48,5 +48,5 @@ jobs: needs: [installer] if: always() && needs.installer.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index 65594d968..5379ff0fd 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -28,7 +28,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - env: PACKAGE_DIR: ./e2e/maven/workflow_dispatch run: ./.github/workflows/scripts/e2e-maven-push.sh @@ -38,7 +38,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && !inputs.trigger_build)) && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -69,7 +69,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: slsa-framework/slsa-github-generator/actions/maven/secure-download-attestations@main with: name: "${{ needs.build.outputs.provenance-download-name }}" @@ -81,9 +81,9 @@ jobs: sha256: "${{ needs.build.outputs.target-download-sha256 }}" path: ./ # NOTE: To build slsa-verifier in e2e.maven.default.verify.sh - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - env: PROVENANCE_DIR: "slsa-attestations/${{ needs.build.outputs.provenance-download-name }}" EXPECTED_ARTIFACT_OUTPUT: "Hello world!" @@ -94,7 +94,7 @@ jobs: needs: [build, verify] if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -102,5 +102,5 @@ jobs: needs: [build, verify] if: always() && github.event_name == 'workflow_dispatch' && inputs.trigger_build && (needs.build.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.nodejs.create.main.default.slsa3.yml b/.github/workflows/e2e.nodejs.create.main.default.slsa3.yml index 846e7491b..2554fd149 100644 --- a/.github/workflows/e2e.nodejs.create.main.default.slsa3.yml +++ b/.github/workflows/e2e.nodejs.create.main.default.slsa3.yml @@ -24,7 +24,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -33,7 +33,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -90,15 +90,15 @@ jobs: runs-on: ubuntu-latest needs: [build, publish] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Node environment uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 # NOTE: for building the verifier. - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - run: ./.github/workflows/scripts/e2e.nodejs.default.verify.sh if-succeeded: @@ -106,7 +106,7 @@ jobs: needs: [build, publish, verify] if: needs.build.result == 'success' && needs.publish.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -114,5 +114,5 @@ jobs: needs: [build, publish, verify] if: always() && github.event_name == 'create' && startsWith(github.ref, 'refs/tags/v39') && (needs.build.result != 'success' || needs.publish.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.nodejs.push.branch1.default.slsa3.yml b/.github/workflows/e2e.nodejs.push.branch1.default.slsa3.yml index b756e6b2a..394123a14 100644 --- a/.github/workflows/e2e.nodejs.push.branch1.default.slsa3.yml +++ b/.github/workflows/e2e.nodejs.push.branch1.default.slsa3.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -34,7 +34,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -91,15 +91,15 @@ jobs: runs-on: ubuntu-latest needs: [shim, build, publish] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Node environment uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 # NOTE: for building the verifier. - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - run: ./.github/workflows/scripts/e2e.nodejs.default.verify.sh if-succeeded: @@ -107,7 +107,7 @@ jobs: needs: [build, publish, verify] if: needs.build.result == 'success' && needs.publish.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -115,5 +115,5 @@ jobs: needs: [build, publish, verify] if: always() && github.ref_type == 'branch' && github.ref_name == 'branch1' && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result != 'success' || needs.publish.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.nodejs.push.main.adversarial.slsa3.yml b/.github/workflows/e2e.nodejs.push.main.adversarial.slsa3.yml index d450642b1..e75de67db 100644 --- a/.github/workflows/e2e.nodejs.push.main.adversarial.slsa3.yml +++ b/.github/workflows/e2e.nodejs.push.main.adversarial.slsa3.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -34,7 +34,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -69,7 +69,7 @@ jobs: runs-on: ubuntu-latest if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.adversarial-cmd.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -77,5 +77,5 @@ jobs: runs-on: ubuntu-latest if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.adversarial-cmd.result != 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.nodejs.push.main.custom_publish.slsa3.yml b/.github/workflows/e2e.nodejs.push.main.custom_publish.slsa3.yml index 89e9d17bf..ddcbab62b 100644 --- a/.github/workflows/e2e.nodejs.push.main.custom_publish.slsa3.yml +++ b/.github/workflows/e2e.nodejs.push.main.custom_publish.slsa3.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -34,7 +34,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -100,15 +100,15 @@ jobs: needs: [build, publish] runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Node environment uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 # NOTE: for building the verifier. - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - run: ./.github/workflows/scripts/e2e.nodejs.default.verify.sh if-succeeded: @@ -116,7 +116,7 @@ jobs: runs-on: ubuntu-latest if: needs.build.result == 'success' && needs.publish.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -124,5 +124,5 @@ jobs: runs-on: ubuntu-latest if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result != 'success' || needs.publish.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.nodejs.push.main.default.slsa3.yml b/.github/workflows/e2e.nodejs.push.main.default.slsa3.yml index 43c7ad305..4fcdd3862 100644 --- a/.github/workflows/e2e.nodejs.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.nodejs.push.main.default.slsa3.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -34,7 +34,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -89,13 +89,13 @@ jobs: needs: [build, publish] runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Node environment uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # NOTE: for building the verifier. - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - run: ./.github/workflows/scripts/e2e.nodejs.default.verify.sh if-succeeded: @@ -103,7 +103,7 @@ jobs: runs-on: ubuntu-latest if: needs.build.result == 'success' && needs.publish.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -111,5 +111,5 @@ jobs: runs-on: ubuntu-latest if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result != 'success' || needs.publish.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.nodejs.push.main.disttag.slsa3.yml b/.github/workflows/e2e.nodejs.push.main.disttag.slsa3.yml index 03979ffad..1a4daa1ed 100644 --- a/.github/workflows/e2e.nodejs.push.main.disttag.slsa3.yml +++ b/.github/workflows/e2e.nodejs.push.main.disttag.slsa3.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -36,7 +36,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -94,15 +94,15 @@ jobs: needs: [build, publish] runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Node environment uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 # NOTE: for building the verifier. - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - run: ./.github/workflows/scripts/e2e.nodejs.default.verify.sh if-succeeded: @@ -110,7 +110,7 @@ jobs: runs-on: ubuntu-latest if: needs.build.result == 'success' && needs.publish.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -118,5 +118,5 @@ jobs: runs-on: ubuntu-latest if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result != 'success' || needs.publish.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.nodejs.push.main.node16.slsa3.yml b/.github/workflows/e2e.nodejs.push.main.node16.slsa3.yml index 80df75889..b444d5392 100644 --- a/.github/workflows/e2e.nodejs.push.main.node16.slsa3.yml +++ b/.github/workflows/e2e.nodejs.push.main.node16.slsa3.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -34,7 +34,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -91,15 +91,15 @@ jobs: needs: [build, publish] runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Node environment uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 # NOTE: for building the verifier. - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - run: ./.github/workflows/scripts/e2e.nodejs.default.verify.sh if-succeeded: @@ -107,7 +107,7 @@ jobs: runs-on: ubuntu-latest if: needs.build.result == 'success' && needs.publish.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -115,5 +115,5 @@ jobs: runs-on: ubuntu-latest if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result != 'success' || needs.publish.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.nodejs.push.main.node18.slsa3.yml b/.github/workflows/e2e.nodejs.push.main.node18.slsa3.yml index fe96ee037..4a63f3925 100644 --- a/.github/workflows/e2e.nodejs.push.main.node18.slsa3.yml +++ b/.github/workflows/e2e.nodejs.push.main.node18.slsa3.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -34,7 +34,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -91,15 +91,15 @@ jobs: needs: [build, publish] runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Node environment uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 # NOTE: for building the verifier. - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - run: ./.github/workflows/scripts/e2e.nodejs.default.verify.sh if-succeeded: @@ -107,7 +107,7 @@ jobs: runs-on: ubuntu-latest if: needs.build.result == 'success' && needs.publish.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -115,5 +115,5 @@ jobs: runs-on: ubuntu-latest if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result != 'success' || needs.publish.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.nodejs.release.main.default.slsa3.yml b/.github/workflows/e2e.nodejs.release.main.default.slsa3.yml index c858fe0a9..0f264bb24 100644 --- a/.github/workflows/e2e.nodejs.release.main.default.slsa3.yml +++ b/.github/workflows/e2e.nodejs.release.main.default.slsa3.yml @@ -24,7 +24,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -33,7 +33,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -90,15 +90,15 @@ jobs: runs-on: ubuntu-latest needs: [build, publish] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Node environment uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 # NOTE: for building the verifier. - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - run: ./.github/workflows/scripts/e2e.nodejs.default.verify.sh if-succeeded: @@ -106,7 +106,7 @@ jobs: needs: [build, publish, verify] if: needs.build.result == 'success' && needs.publish.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -114,5 +114,5 @@ jobs: needs: [shim, build, publish, verify] if: always() && github.event_name == 'release' && startsWith(github.ref, 'refs/tags/v40') && (needs.build.result != 'success' || needs.publish.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.nodejs.tag.main.default.slsa3.yml b/.github/workflows/e2e.nodejs.tag.main.default.slsa3.yml index 45cba5992..59df6bea4 100644 --- a/.github/workflows/e2e.nodejs.tag.main.default.slsa3.yml +++ b/.github/workflows/e2e.nodejs.tag.main.default.slsa3.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -34,7 +34,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -91,15 +91,15 @@ jobs: runs-on: ubuntu-latest needs: [shim, build, publish] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Node environment uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 # NOTE: for building the verifier. - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - run: ./.github/workflows/scripts/e2e.nodejs.default.verify.sh if-succeeded: @@ -107,7 +107,7 @@ jobs: needs: [shim, build, publish, verify] if: needs.build.result == 'success' && needs.publish.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -115,5 +115,5 @@ jobs: needs: [shim, build, publish, verify] if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result != 'success' || needs.publish.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.nodejs.tag.main.unscoped.slsa3.yml b/.github/workflows/e2e.nodejs.tag.main.unscoped.slsa3.yml index b87e854cb..547c12a09 100644 --- a/.github/workflows/e2e.nodejs.tag.main.unscoped.slsa3.yml +++ b/.github/workflows/e2e.nodejs.tag.main.unscoped.slsa3.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -34,7 +34,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -91,15 +91,15 @@ jobs: runs-on: ubuntu-latest needs: [shim, build, publish] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Node environment uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 # NOTE: for building the verifier. - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - run: ./.github/workflows/scripts/e2e.nodejs.default.verify.sh if-succeeded: @@ -107,7 +107,7 @@ jobs: needs: [shim, build, publish, verify] if: needs.build.result == 'success' && needs.publish.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -115,5 +115,5 @@ jobs: needs: [shim, build, publish, verify] if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result != 'success' || needs.publish.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.nodejs.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.nodejs.workflow_dispatch.main.default.slsa3.yml index ffa5e20bb..6a19765d3 100644 --- a/.github/workflows/e2e.nodejs.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.nodejs.workflow_dispatch.main.default.slsa3.yml @@ -27,7 +27,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Bumps the package version pushes, creates a git tag, and pushes the tag. - run: ./.github/workflows/scripts/e2e-bootstrap.sh @@ -36,7 +36,7 @@ jobs: needs: [bootstrap] if: always() && (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && !inputs.trigger_build)) && needs.bootstrap.result != 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh # Main workflow @@ -93,15 +93,15 @@ jobs: runs-on: ubuntu-latest needs: [build, publish] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Node environment uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 # NOTE: for building the verifier. - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - run: ./.github/workflows/scripts/e2e.nodejs.default.verify.sh if-succeeded: @@ -109,7 +109,7 @@ jobs: needs: [build, publish, verify] if: needs.build.result == 'success' && needs.publish.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -117,5 +117,5 @@ jobs: needs: [build, publish, verify] if: always() && github.event_name == 'workflow_dispatch' && inputs.trigger_build && (needs.build.result != 'success' || needs.publish.result != 'success' || needs.verify.result != 'success') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.verify-token.push.main.yml b/.github/workflows/e2e.verify-token.push.main.yml index 68660e453..702038143 100644 --- a/.github/workflows/e2e.verify-token.push.main.yml +++ b/.github/workflows/e2e.verify-token.push.main.yml @@ -37,7 +37,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: ./.github/workflows/scripts/e2e-push.sh verify-token-e2e: diff --git a/.github/workflows/e2e.verify-token.reusable.yml b/.github/workflows/e2e.verify-token.reusable.yml index 95967d2c0..e1669ef25 100644 --- a/.github/workflows/e2e.verify-token.reusable.yml +++ b/.github/workflows/e2e.verify-token.reusable.yml @@ -60,7 +60,7 @@ jobs: # "https://api.github.com/repos/$USERNAME/example-package/actions/workflows/e2e.verify-token.schedule.yml/dispatches" \ # -d "{\"ref\":\"$BRANCH\"}" \ # -H "Authorization: token $GH_TOKEN" - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: setup uses: slsa-framework/slsa-github-generator/actions/delegator/setup-generic@main @@ -135,7 +135,7 @@ jobs: runs-on: ubuntu-latest needs: [setup-generic] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify-builder uses: slsa-framework/slsa-github-generator/.github/actions/verify-token@main @@ -156,7 +156,7 @@ jobs: run: | ./.github/workflows/scripts/verify-verified-token.sh - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify-generator uses: slsa-framework/slsa-github-generator/.github/actions/verify-token@main @@ -183,7 +183,7 @@ jobs: exit 1 fi - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify-mismatch-recipient uses: slsa-framework/slsa-github-generator/.github/actions/verify-token@main @@ -194,7 +194,7 @@ jobs: output-predicate: mismatch-recipient-predicate.json builder-interface-type: "builder" - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify-mismatch-token uses: slsa-framework/slsa-github-generator/.github/actions/verify-token@main @@ -205,7 +205,7 @@ jobs: output-predicate: mismatch-token-predicate.json builder-interface-type: "builder" - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify-invalid-mask uses: slsa-framework/slsa-github-generator/.github/actions/verify-token@main @@ -217,7 +217,7 @@ jobs: output-predicate: invalid-mask-predicate.json builder-interface-type: "builder" - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: verify-invalid-sha1 uses: slsa-framework/slsa-github-generator/.github/actions/verify-token@main @@ -245,7 +245,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: slsa-framework/example-package ref: main @@ -259,7 +259,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/e2e.vsa.gcp.gke.yml b/.github/workflows/e2e.vsa.gcp.gke.yml index 7611a915b..b8507e81d 100644 --- a/.github/workflows/e2e.vsa.gcp.gke.yml +++ b/.github/workflows/e2e.vsa.gcp.gke.yml @@ -21,20 +21,20 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: path: example-package - name: Set up Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: 1.24 + go-version: 1.26 - name: Install slsa-verifier run: go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@${{ matrix.slsa-verifier-version }} - name: Checkout gke-vsa - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: GoogleCloudPlatform/gke-vsa ref: main @@ -52,7 +52,7 @@ jobs: # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.verify-attestations.result == 'success' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # The builder should fail if the builder is tampered with. - run: printenv - run: ./.github/workflows/scripts/e2e-report-success.sh @@ -64,6 +64,6 @@ jobs: # to issues unless it's a schedule event. if: always() && github.event_name == 'schedule' && needs.verify-attestations.result == 'failure' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # The builder should fail if the builder is tampered with. - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/github-actions-demo.yaml b/.github/workflows/github-actions-demo.yaml index e8ad07a81..a793debdf 100644 --- a/.github/workflows/github-actions-demo.yaml +++ b/.github/workflows/github-actions-demo.yaml @@ -4,7 +4,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: bazelisk build //:hello - uses: slsa-framework/github-actions-demo@v0.1 with: diff --git a/.github/workflows/pre-submit.actionlint.yml b/.github/workflows/pre-submit.actionlint.yml index b0c9403ae..390ec58f0 100644 --- a/.github/workflows/pre-submit.actionlint.yml +++ b/.github/workflows/pre-submit.actionlint.yml @@ -28,7 +28,7 @@ jobs: actionlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: shellcheck env: SHELLCHECK_VERSION: "0.8.0" diff --git a/.github/workflows/pre-submit.golangci-lint.yml b/.github/workflows/pre-submit.golangci-lint.yml index 72571cb07..5dd3275a1 100644 --- a/.github/workflows/pre-submit.golangci-lint.yml +++ b/.github/workflows/pre-submit.golangci-lint.yml @@ -14,15 +14,15 @@ jobs: golangci-lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.24" + go-version: "1.26" - - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 + - uses: golangci/golangci-lint-action@ba0d7d2ec06a0ea1cb5fa41b2e4a3ab91d21278a # v9.3.0 name: golangci-lint with: # Require: The version of golangci-lint to use. # When `install-mode` is `binary` (default) the value can be v1.2 or v1.2.3 or `latest` to use the latest version. # When `install-mode` is `goinstall` the value can be v1.2.3, `latest`, or the hash of a commit. - version: v1.55.2 + version: v1.64.8 diff --git a/.github/workflows/pre-submit.shellcheck.yml b/.github/workflows/pre-submit.shellcheck.yml index 65b0d0292..3a7c18d93 100644 --- a/.github/workflows/pre-submit.shellcheck.yml +++ b/.github/workflows/pre-submit.shellcheck.yml @@ -14,7 +14,7 @@ jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - env: SHELLCHECK_VERSION: "0.8.0" run: | diff --git a/.github/workflows/pre-submit.yamllint.yml b/.github/workflows/pre-submit.yamllint.yml index 75ea24bfe..60cc1ee41 100644 --- a/.github/workflows/pre-submit.yamllint.yml +++ b/.github/workflows/pre-submit.yamllint.yml @@ -14,7 +14,7 @@ jobs: yamllint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - env: YAMLLINT_VERSION: "1.26.3" run: | diff --git a/.github/workflows/schedule.delete-old-releases.yml b/.github/workflows/schedule.delete-old-releases.yml index f8a60f021..93a9e47ef 100644 --- a/.github/workflows/schedule.delete-old-releases.yml +++ b/.github/workflows/schedule.delete-old-releases.yml @@ -17,7 +17,7 @@ jobs: permissions: contents: write # Needed to delete tags steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Delete old releases id: build run: ./.github/workflows/scripts/e2e-delete-old-releases.sh diff --git a/.github/workflows/verifier-e2e.all.workflow_dispatch.main.all.slsa3.yml b/.github/workflows/verifier-e2e.all.workflow_dispatch.main.all.slsa3.yml index d61824504..cb21670af 100644 --- a/.github/workflows/verifier-e2e.all.workflow_dispatch.main.all.slsa3.yml +++ b/.github/workflows/verifier-e2e.all.workflow_dispatch.main.all.slsa3.yml @@ -64,7 +64,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Bazelisk uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0 with: @@ -124,13 +124,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Authenticate Docker - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ env.REGISTRY_USERNAME }} @@ -138,12 +138,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 id: build with: push: true @@ -243,7 +243,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: push env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -266,7 +266,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - id: push shell: bash run: |